pass the session ID in a cookie.

... and encrypt the cookie...

... and link another parameter in the cookie to a field in the user database that has a random, unique code for each user...

Guys unless I'm missing something, you can only set or get a cookie from the same domain, correct? So a cookie set on the https version cannot be read by the http version.

What I do here is however you get from https to http, I pass along the sessionid via either a hidden field or query string variable. Because you're going FROM secure to non-secure, I don't see how security is an issue as long as the login doesn't involve sensitive information. If it does, apply the same encrypting/decrypting techniques - encrypt it before storing it in a hidden field/qstring, decrypt it before evaluating it in the read/parse.

rocknbil,

the OP didn't mention anything about different domains, just different servers. I assumed the servers were all using the same domain but that could be a wrong assumption. In which case your suggestion would have to be used.

just to back up perl - a cookie can be set on https and read on http and vice-versa. Cookies can't be read across domains, but that can be read across ssl states.

Also, no matter what the actual login information, you have to treat a login as confidential and must be secure because if compromised it can lead to personal information being divulged.

Man! I will have to check. I could swear on a recent project I couldn't read a cookie on https that I set on http. Probably mixing up projects . . .

I suppose my use of the sessionid is different, then. No one should be able to log in or hijack a login based on the sessionid. To do that you'd need both the sessionid AND the login name/pass, and neither can be accessed from the other.

rocknbil rests, sorry for the wasted server space.