The solution was simple but not obvious.
The Sessionhelper sends a cookie to you browser (CAKEPHP by default) containing your session id and store your session data on the server. This storage method can be selected with the Session.defaults.
At first I have suspected the php builting session which in the default case does the session data storage on the server. After creating some minimal tests the php built in session handling seemed to be working. Later I have realized that my CAKEPHP cookie had been never sent to my browser. I have created a small test to the php's setcookie function. It worked. I have realized the following section of the manual:
Like other headers, cookies must be sent before any output from your script (this is a protocol restriction). This requires that you place calls to this function prior to any output, including <html> and <head> tags as well as any whitespace.
After I have added a newline before my php start tag the test stopped working in the new environment, but worked on my dev box.
And yes after some code ditching I have found the malicious code:
I have left a tab in my UsersController before the php start tag...