(I just realised that the title is perhaps misleading – it should be: “Only Authenticate SSL Users”)
PS: I’m not 100% sure about how it works, but I am assuming that the client will only send the cookie if requested to do so. If this assumption is false, then the better solution would be that the cookie is constructed in such a way that the client only sends the auth cookie when using SSL.
