CakePHP Cookie/Session problems

I am having issues with my CakePHP application. This seems to be happenining only in IE, and only on certain computers. It is consistent on the computers where it is happening though.

Issue one: User is logged in and on the page https://example.com/users/view and clicks sign out. User is redirected to http://example.com and appears to be logged out until the user visits another https page and they are still logged in. They can click log out as many times as they want but they are always logged in on https and only get logged out on http.

Issue two: User logs in at https://example.com/users/signin they are redirected to http://example.com and now appear to be logged in. User goes to https://example.com/admin/slides and does not know it yet but is now logged out, clicking on any other page (or just refreshing their current page) will ask them to log in again.

I have no idea whats going on. I have read and tried the solutions described on both these similar issues: Session not saving when moving from ssl to non-ssl and Cookie not renewing/overwriting in IE but I am still having the same problems.

The only clue I have noticed so far, (and I don't know if this means anything) is when I debug both $_SESSION and $this->Session->read() on HTTP pages ALWAYS only $this->Session->read() returns a value. on HTTPS pages some ALWAYS return the same value for both, others ALWAYS only return a value for $this->Session->read().

For example, http://example.com and https://example.com/users never sees $_SESSION, https://example.com/carts always sees $_SESSION. I am not sure but I am thinking that maybe the secure pages are supposed to be seeing it and since some can't maybe something is wrong, however when I inspect the code I see no difference that would suggest why one does and one doesn't.

Also, if I add $this->Session->destroy() to the beforeFilter in AppController, then all pages even HTTP can see $_SESSION. I am not actually use $_SESSION in my application, I just thought this might be a clue to whats wrong.

---

UPDATE

I tooked Gustav Bertram's advice and looked at the user agent string. I compared the user agent string with IE on a computer that was having the issue to IE on a computer that was not having the issue. They were the same except the one that was having problems has "google chrome frame" in the user agent string. I uninstalled Google Chrome Frame from that computer, restarted, tried again and the problem seemed to be solved.

If this is the true cause, then the simple solution would be to make users uninstall Chrome frame. However I wonder if there is a work around that would allow them to have chrome frame installed and still work.

I am awarding you the bounty since your suggestion of looking at the user agent is what led to me finding the chrome frame issue. I would still like to figure out a way to get it to work with chrome frame installed though.

Thought I would mention that these are CakePHP 2.0 parameters. They may be a little different in 1.3, but should allow you to navigate between http and https while logged in.

Apparently you can insert a tag to force IE with Google Chrome to use the Chrome rendering engine. If that doesn't give you joy, it may be bug report time.

It looks like the same syntax as 1.3, worked in 1.3 with no errors. :) This does seem to fix the issue even when chrome frame is installed. Do you know why Cake was checking the agent in the first place? Sorry I already gave the bounty away it was about to run out when I did.

It's a security measure. I think that by default, it wants a secure cookie to only be valid in a secure connection. If you go to http, then it's not secure anymore. So, here, we are basically turning that off. No worries on the bounty. Glad you got it working!

@ScottHarwell Will these settings have any impact on application security?

@DavidYell The solution wouldn't be the security issue, in my opinion. The security issue would come from passing a logged-in user between http and https. One should relegate all traffic to https to maintain proper security, making this question / solution unneeded.