I'm currently trying to chase down the presence of a "sticky" zenid parameter on a site that is https-only running Zen Cart v1.5.4 and PHP 5.3.29. All the session-related settings look standard.
Code:
Session Directory 	/home/main_site/public_html/test_site/cache 	Info 
Cookie Domain 	True
Force Cookie Use 	False
Check SSL Session ID 	False
Check User Agent 	False
Check IP Address 	False
Prevent Spider Sessions 	True
Recreate Session 	True
IP to Host Conversion Status 	true 	 
Use root path for cookie path 	False
Add period prefix to cookie domain 	True
Code:
Session Support 	enabled
Registered save handlers 	files user sqlite
Registered serializer handlers 	php php_binary

Directive	Local Value	Master Value
session.auto_start	Off	Off
session.bug_compat_42	On	On
session.bug_compat_warn	On	On
session.cache_expire	180	180
session.cache_limiter	nocache	nocache
session.cookie_domain	.www.main_site.com	no value
session.cookie_httponly	On	Off
session.cookie_lifetime	0	0
session.cookie_path	/test_site/admindir/
session.cookie_secure	On	Off
session.entropy_file	no value	no value
session.entropy_length	0	0
session.gc_divisor	2	100
session.gc_maxlifetime	900	1440
session.gc_probability	1	1
session.hash_bits_per_character	4	4
session.hash_function	0	0
session.name	zenAdminID	PHPSESSID
session.referer_check	no value	no value
session.save_handler	user	files
session.save_path	/home/main_site/public_html/test_site/cache	/tmp
session.serialize_handler	php	php
session.use_cookies	On	On
session.use_only_cookies	On	On
session.use_trans_sid	0	0
I've traced the issue down to the highlighted code fragment in /includes/functions/html_output.php's zen_href_link function:
Code:
    while ( (substr($link, -1) == '&') || (substr($link, -1) == '?') ) $link = substr($link, 0, -1);
// Add the session ID when moving from different HTTP and HTTPS servers, or when SID is defined
    if ( ($add_session_id == true) && ($session_started == true) && (SESSION_FORCE_COOKIE_USE == 'False') ) {
      if (defined('SID') && zen_not_null(constant('SID'))) {
        $sid = constant('SID');
//      } elseif ( ( ($request_type == 'NONSSL') && ($connection == 'SSL') && (ENABLE_SSL_ADMIN == 'true') ) || ( ($request_type == 'SSL') && ($connection == 'NONSSL') ) ) {
      } elseif ( ( ($request_type == 'NONSSL') && ($connection == 'SSL') && (ENABLE_SSL == 'true') ) || ( ($request_type == 'SSL') && ($connection == 'NONSSL') ) ) {
        if ($http_domain != $https_domain) {
          $sid = zen_session_name() . '=' . zen_session_id();
        }
      }
    }

// clean up the link before processing
    while (strstr($link, '&&')) $link = str_replace('&&', '&', $link);
    while (strstr($link, '&&')) $link = str_replace('&&', '&', $link);

    if ( (SEARCH_ENGINE_FRIENDLY_URLS == 'true') && ($search_engine_safe == true) ) {
      while (strstr($link, '&&')) $link = str_replace('&&', '&', $link);

      $link = str_replace('&', '/', $link);
      $link = str_replace('?', '/', $link);
      $link = str_replace('&', '/', $link);
      $link = str_replace('=', '/', $link);

      $separator = '?';
    }

    if (isset($sid)) {
      $_SESSION['href_link_sid'] = $sid . ((defined('SID') && zen_not_null (constant ('SID'))) ? ', SID' : ',not-SID');
      $link .= $separator . zen_output_string($sid);
    }
I added the bit to set that session variable with the results. On Chrome and IE11 (but not FireFox), that value is set with zenid=xxxxx,SID which indicates that the highlighted code that checks to see if the SID is set is being executed.

I can see in both browsers that the zenid cookie is, in fact, set and set to the value that's tracking in the zenid $_GET parameter. Anyone got any ideas?