if ssid is empty on a session, a new session is generated.
Specifically - if you update a site with the patches for secure pages but use an existing session, your session is not upgraded to work and is instead replaced - for https.
if you switch back to http, the old session is used instead.
Suggestion : have a way to invalidate sessions where ssid is blank when securepages is enabled?
I'm a little unclear on what to do, other than it impacts http://drupal.org/node/1050746 (HTTPS sessions not working in all cases)
Perhaps I can instruct the customer to clear out sessions where ssid='' after they've updated.