For anyone with a similar problem, here's how I sorted it. As any fool (except me) knows, IE6 downgrades cookies to session cookies if there is no compact privacy policy in the header. You have to implement a p3p privacy policy - go to [p3ptoolbox.com...] to find out how. There is a tool for making the files at [alphaworks.ibm.com...] Validator is at [w3.org...] You get into a cycle of testing etc with the validator until you have everything in the right place. To add the p3p: header, you turn on mod_headers and something like

<IfModule mod_headers.c>

Header append P3P: 'CP="ALL DSP COR CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI CO
M NAV INT", policyref="/w3c/p3p.xml"'

</IfModule>

to an .htaccess or your virtual server config. NB the policyref= has to be at /w3c/p3p.xml. The CP= bit comes from the compact policy that you can save as a text file.

Once you have made a policy that is compliant, you need to check whether it is compliant with what ie6 needs to allow cookies. A good tool is privacy bird (www.privacybird.com). You tell it your settings (which should be medium). It twitters if all is ok and complains if not.

Whew.