Okay... the cookie monster isn't really after me. But I do have a monster of a problem, and it does involve cookies, so my title isn't totally bogus.

I'm working on a website. I want registered members to be able to login with username/password. I also want users to be able to submit this login information over a secure connection.

I'm using CGI::Session and CGI::Cookie, etc. I've used them before and have read the docs, etc.

The URL for my site is something like http://www.example.com. I'm using a shared web hosting company to host it. I just upgraded my account in order to get the "secure access" part. Basically, they give you another URL like this: https://www.myhost.com/username

So the problem I have is this: if I use the https URL for my login page, the session id written to my cookie is on the myhost.com domain, and when I redirect back to example.com, it's no longer visible. I don't want to stay stuck in https land forever, but I need the http pages to know if a user is logged in or not.

I have done similar stuff a million times, no problem - but always where the URLs were either on the same host, or at least in the same subdomain. But I see no easy way around this. I suppose I could somehow extract the session id and pass it around as a CGI parameter - but that would kind of undermine the whole point of using a secure connection (make it easy to hijack other people's sessions).

Oh yeah - I can pay more, and get a security certificate of my own, so that I'll have the URL https://www.example.com instead of https://www.myhost.com/username. I think everything will work out fine if I do that - but I'm trying to save a buck.

Has anyone ever had to find a similar work-around? I'd really appreciate any tips/tricks/suggestions that may help.

Thanks!