I have progressed to the user authentication of a web app I'm building.  Implemented the mechanics of the login process in HTTP originally.  The idea is for the login process to create a PHPSESSID which the SQL PHP would then recover.  Worked all fine with HTTP.  I then proceeded to enable SSL to hide the login dialog and session id.  The bulk of the app should continue to download stuff using HTTP.  So I have a sequence like HTTPS redirects to HTTP makes $.ajax calls to HTTPS.   The latter bit crashes big time.  Looking at Firebug, the Net panel reports that Firefox fired an OPTIONS header at my PHP script, which that script did not handle well.  The script tried to recover the PHPSESSID from the OPTIONS header, failed and returned my "No active session" error.  I understand that the problem results from HTTP://www.mydomain.com and HTTPS://www.mydomain.com being seen as different domains.  (I'd actually appreciate a heads-up as to why a mere protocol change is considered toxic by people smarter than myself.  It seems to me that it's all still the same domain...)  And that Firefox is trying to establish with an Access-Control-Request whether my server would like to oblige.  It seems prima facie that there may be something that I am required to do on my server.  However, in researching this problem I stumbled upon JSONP.  I have wondered before what that JSONP stuff in $.ajax was all about but since I managed to get by without it thus far, I never investigated.  Reading some forum posts on JSONP, it seems that it might be a way around my problem. I have a few questions:

(1)

Why is it ok to download JS from 3rd parties, but not make $.ajax calls?  Naively, I had thought that the former presents a considerably greater security risk than the latter.  (What's the worst a $.ajax call could pull down?  Probably JS actually...)

(2)

What do I have to do with my PHPSESSID cookie?  I think that I should flag it "secure=true" such that it will only be sent along HTTPS connections.  How will this affect my JSONP request?  I am guessing that the script tag is loaded via HTTP?  So will the SQL PHP script receive the cookie?

(3)

My server currently returns JSON data like so {}.  JSONP is something like so callback= function() { return {}; }.  I understand that I can configure the $.ajax call to do the padding for me.  Should I?  Or is it more efficient/better to rewrite my PHP script?

Thank you for giving this post your attention (I apologise for the length).