We have an ecommerce site using ASP.NET where all the product pages are in HTTP and the payment page is in HTTPS (with SSL). The SSL is across the site so users can also view all the pages over HTTPS also.
We have a session expiry page on the server and whenever the session expires the user is redirected to the session expired page. On this page we have an Email component which emails us back all the server variables for us to diagnose why session expiry is occuring.
It looks like when people are selecting a product and going to payment page we are facing this session expiry. This does not happen all the time only in some instances. I have done some research and found some links but most say that its not possible at all to share session between HTTP and HTTPS. If thats the case then every session would have expired when the payment page was called which is not what is happening, unless the user started with HTTPS and continued to payment with HTTPS.
I was hoping that this issue would be common for many applications where the payment only is over secure channels and maybe one the experts here has an answer to this. Maybe there is a better way to handle this and any help would be appreciated.