I've not a big brain, but I have some ideas for you to consider.
For one, are bother the regular, and secure virtualhosts on the SAME 'machine' ? If so, you can pass the session argument in a URL click to make it use the save session variable name (granted you are doing session_start and session_register the same on both sides).
See, if the $PHPSESSID is passed on the URL, then PHP thinks to use that session name.
Crude href example:
https://secureserver.com/app.php?PHPSESSID=<?=$PHPSESSID?>
Another way, would be to do some serious internal work, where you flag an IP, then pass a 'made up' session id through the URL, and then on the other side (the secure server side), you check the incoming arg, against what was made on the back end, and match it with the same IP, and then register the session name that you stored with that in a DB. Sounded confusing? Yes... but if you are really paranoid about putting the session id variable in a URL, then thats a way to go about hiding it with a bit of IP security. ugh is all I say to THAT!
What I do, is on a store, is all the pages, products, listings, are in normal http. Then when items are put into a cart, it is STILL http. Now, when the user clicks on "Checkout"... THAT link goes to https with the session arg in the URL for the first time in. While inside the checkout process, I dont pass that arg anymore, as its already been setup.
This is assuming you require cookies to be on to use the store. One way I've also made the store not require cookies, is I do a cookie check, and then always pass the session id in the URLs at all times.
Ok, I am done rambling your ear off ... 😃 food for thought.
