Simple fix, but requires changes on both sides
The "fix" is surprisingly simple: treat cookies for non-SSL sessions completely separate from cookies for SSL sessions. Put another way, treat SSL and non-SSL as different domains. If a user logs into https://www.example.com and cookie "mypassword" is set, then that cookie should only be for the SSL site. If the user then switches over to http://www.example.com (non-SSL), don't send that cookie.
Mind you, this is a problem for both sides -- the browsers and the website maintainers. The browsers need to be changed to use this method. Website maintainers need to make sure that they're using SSL when sending private data (such as these authentication tokens). Sadly, it seems a lot of website maintainers aren't so smart. All too often, sites use SSL only for the login form, then switch you over to non-SSL after login. My local power company has you log in in-the-clear BEFORE switching over to SSL. What good is it to use SSL after you've forced the user to send their name and password in clear-text?