session_id() between HTTP and HTTPS

[dogensan]

Hi There,

 

I've stumbled across a problem with a shopping cart I've recently developed.  It basically works by snatching the users session_id(), storing that in a MySQL Database, along with the product they add to the cart. 

 

ie.

 

<?php

session_start();

$sessid = session_id();

...

$sql = "INSERT INTO carttemp SET
session_id = '$sessid', 
item_id = '$id',
item_size = '$size',
item_quantity = '$quanity";

...?>

 

 

When it comes times for the user to checkout, they get transferred to a secure HTTPS connection.  The customer is then provided with a run down of what's in their cart - with code as simple as:

 

<?php

session_start();

$sessid = session_id();

$query = "SELECT * FROM carttemp WHERE session_id = '$sessid'";

...?>

 

 

As you can see the reference point is always the session_id  There are no variables stored in sessions, I am simply using the session_id to match the data stored in the temporary database with the user. 

 

90 % of the time this code works fine.

 

However, I have had a few reports that customers will add items to their cart, click on order (which changes them to HTTPS connection) and suddenly their cart will be empty!  I've been able to replicate this problem, but only using Firefox 1.5 on PC and only sometimes (very strange!!)  In these cases, it would appear that changing from HTTP to HTTPS generates a new session_id .  Most of the time the session_id  remains the same whether in HTTP or HTTPS, and you can jump back and forward, without dramas. 

 

Does anyone know why this would be working sometimes, but not all the time, and how I can best avoid it from happening all together?  Keeping in mind that onces in HTTPS, the user might jump back to HTTP and vice versa - the whole time I will need some sort of reference point to match items stored in the cart database with the customer who put them there!

 

Can I store the session_id  in a cookie that can be accessed in both HTTP and HTTPS?  And how would I reference and make sure I'm getting the right cookie without being able to use the session_id ?  Or can I simply just scrap sessions and use cookies all together?  There will be no sensitive date (well no data at all really) stored in the cookie, it is simply a means of linking a customer to their products whilst they are still browsing/ordering. 

 

Or is there a way to simply maintain the session_id  between HTTP and HTTPS?  I would prefer to avoid a solution that requires the SID be sent through URL, POST or GET, as it would require huge amounts of re-coding.

 

Thanks in advances for anyone that can help me out with this situation!

 

Dogen

 

EDIT: Grammar and wording.