pfSense

The session cookie can end up being non-secure on HTTPS in a specific set of circumstances:

1. Set GUI to HTTPS
2. Logout
3. Close browser
4. Login again -- Cookie is set secure
5. Switch GUI to HTTP
6. Firewall forces a new login
7. Login -- Cookie is not secure (and can't be, since it's HTTP)
8. Switch GUI back to HTTPS
9. User remains logged in, but the cookie is still set non-secure.

We should invalidate sessions after any protocol switch to force a new login/fresh cookie.