Make sure to use a cookie that requires a secure connection for the secure pages, and a normal cookie for non secure pages. This way, if someone captures the non secure cookie, they won't be able to hijack any sensitive information.

So this is one solution I've come upon. I add the following snippet to beforeFilter() in AppController:

if (!in_array($this->action, $this->Security->requireSecure) and env('HTTPS'))
    $this->_unforceSSL();

The function is defined as:

function _unforceSSL() {
    $this->redirect('http://' . $_SERVER['SERVER_NAME'] . $this->here);
}

what I don't like with the redirect approach is that the user still goes to the unsecure url and only after this he is redirected.

I wanted something done at the html->link/url level where depending on what you pass a ssl/non-ssl link is returned, something similar with: http://cakephp.1045679.n5.nabble.com/Re-Login-through-HTTPS-on-CakePHP-td1257438.html but also using the secure component

later edit, I did something easier that just did my job done, I try to create a simple example (don't forget to define MYAPP_SECURE_URL in config/core.php or bootstrap.php): in app I created app_helper.php:

class AppHelper extends Helper {
    function url($url = null, $full = false) {
        if($url['action'] == 'login' && $url['controller'] == 'users') {
            return MYAPP_SECURE_URL.'/users/login';
        }
        return h(Router::url($url, $full));
    }
}