One other possibility... do you use browser user-agents as part of your session security? And if so, do you have rss feeds? I found that the Safari RSS reader and Mail app share cookies with Safari itself but use different user-agent strings. I had to throw user- agents out of the session security equation because of cases like this.