Session cookie inconsistent behavior when switching GUI protocols
The session cookie can end up being non-secure on HTTPS in a specific set of circumstances:
1. Set GUI to HTTPS
3. Close browser
4. Login again -- Cookie is set secure
5. Switch GUI to HTTP
6. Firewall forces a new login
7. Login -- Cookie is not secure (and can't be, since it's HTTP)
8. Switch GUI back to HTTPS
9. User remains logged in, but the cookie is still set non-secure.
We should invalidate sessions after any protocol switch to force a new login/fresh cookie.