I enabled J2EE sessions previously, and that yielded the same outcome - the session was lost between secure/insecure pages.
The problem with allowing https:// URLs throughout the site is that Google can penalise websites for duplicate content, and so it is SEO best practice not to allow both secure/insecure versions of the same pages (however in saying that, there may be a new way of using rel=canonical to avoid penalties by specifying only the insecure address on all pages of the site.)
We only want some pages to be secure, like the customer login and their order pages etc. That is all ok until the user clicks on a http:// link, and then their session is lost. We'd like the user to stay logged in and be able to browse both, and this used to work on CF7. Alas this behaviour no longer works (for us at least) on CF10. Finding the code that could be causing this is our task for another day I think.
