This was for an application which requires authentication. The controller sends the browser a redirect (to the login URL) if the user is not authenticated. I had set the cookie path with something like the following:
$baseUrl = 'https://www.example.com/gakkk/';
// several lines later...
This worked OK in chrome, but Firefox and MSIE both got locked up in redirection loops. After scratching my head for a while, I finally figured out that I should be doing this:
The cookie_path (it has that name for a reason) should exclude the protocol, hostname, and port. Information security auditors like to complain about web applications that don't set the cookie path.