session variables in secure session

hessodreamy

I've got a shopping cart application which stores purchased items in the session array. However when I switch to a secure session on https the items have vanished.

My question is: Are session variables transferred when switching from non-secure to secure session?

mtmosier

I can say without a doubt that it definitely... depends. In my experience if the hostname is exactly the same (http://www.example.com -> https://www.example.com) the session comes over automatically. I've heard other people say that doesn't work for them though, so...

If the hostnames are not the same (http://www.example.com -> https://example.com) then the session won't normally carry automatically. You can pass the session id in the url, though be careful of security in that case. If you link to an external site from a page with the session id in the url then the external site may get the session id in their referrer logs, which may allow them to hijack the user's sesssion.