drupal_session_start does not create insecure session cookie

I'm currently using the HybridAuth Social Login module. It calls drupal_session_start() to initialize a session if one does not exist yet. I'm also using the SecurePages module to make most of my website https.

The problem happens when drupal_session_start() is called. If I'm on a secure page when calling drupal_session_start(), PHP will create the secure session cookie on my machine, but will not create the insecure cookie. As a result, on the next page load, Drupal will not be able to find the matching row in the sessions table for my session (since I've only provided Drupal with my secure session cooke), and this will cause Drupal to spawn me a new session with the same sid and ssid.

For now, I fixed this by setting a dummy value in the session object $_SESSION['dummy'] = 'someval'; so that anonymous users will acquire both insecure and secure session cookies when drupal_session_commit is called.

I believe you can reproduce this issue by:

1. Enable Secure Pages and make your entire site https.
2. Create a new module and create a hook_init function.
3. Call drupal_session_start() in the init function.
4. Check your cookies. You will only have a secure cookie present. On your next page load, Drupal will not be able to identify your existing session since you've only presented it with your secure session cookie without the accompanying insecure session cookie.