I’ve been hoping for the last hour or two that there’d be just one post on this topic, giving the problem and solution all together, but I have yet to solve it and so I’m just going to post the issue for now, until I have a solution.
As a security measure in WP2.6, login cookies are now split into what seem to be at least three different cookies—two with paths like /wp-admin and /wp-content/plugins that are the full cookie that auth_redirect() checks against and one that’s different, with path / [paths relative to the blog root]. Near as I can tell, this immediately breaks any attempt to use auth_redirect() for authentication (e.g. this and this) outside the /wp-admin and /wp-content/plugins directories. It is also not immediately clear to me how to authenticate against the whole-site cookie, if there’s any way to do that at all.
A temporary, but very bad fix would be to completely defeat the security by defining ADMIN_COOKIE_PATH to be the site root, rather than the path to /wp-admin. I’m thinking that, from a quick skim of pluggable.php, there might be plugin action hooks to allow setting other cookies that would allow authentication on other paths…