How many sessions will you have? If it is a low number, why not do the whole thing via SSL?
>>I'm guessing 3-5 might be active at any one time.
I think you may need to rethink your entire design to make it a little more robust. Think about a customer using an ISP that does the decent thing and attempts to cache pages, graphics whatever and also dynamically assigns IP addresses to the client at connect time (with a lease that could in theory expire during the session). What if the customer looses their connection and has to re-dial, the web session could be intact but the IP address will likely change.
>>Caching won't matter, as everything takes place at the server. If they lose their connection, they reconnect, but must start over if assigned a new IP address. Since many are using DSL and Cable Internet Lan lines, disconnects should be less frequent in the near future. No one wants to use a 56kbs connection anymore.
Also why use two files not one? In fact take a look at this link for a slightly better alternative.
>> I use two files to better manage the process. The two files are related by the IP address. Plus, these files get loaded to a Mysql database.
SSL will not interfere with the client IP address it will simply mean that they will be connecting with the server on a different port (typically 443).
>> So what you are saying is everything the cart program is currently doing can take place the way it is currently set up, it wil just be the port number that's different. Great!
Are you managing the SSL? Are you the only one with access to this server? Storing this kind of information on a shared server could get you into some hot water
>> Not sure what this means, but our web host is giving us SSL capabilities for our e-commerce account. So, we are using my Web Host's service.
What about hidden <input>'s? What about a temporary directory name to be passed via a URL (very highly unsecure indeeeeeeed!) What about cookies as a last resort?
There are lots of ways to address the problem you seem to have with the files but IMHO you have some more serious issues to address first.
>>Thanks for the critique. I will visit the above link you listed. If you'd like to see our site's cart in action visit http://www.topsecretspydevices.com
and try "buying" something. The site is not active, but feel free to put in some fake info so that you get an order generated. Let me know what you think. If all goes well you'll get an email confirmation sent back to you. We are still working on the site layout so please excuse some of the graphics, or lack thereof. Thanks again.