First thought: why is the first action to assign a cookie? I'm betraying my own prejudice against these badly exploited critters here, but given the existance of other, less exploitable, and therefore, less rejected mechanisms for session state persistance, why use a cookie.

Second. In order to assign the visitor a unique id, you need to gather identifying information from the user by which to associate them with the ID. As a visitor who has just come by to gather information, if the first thing I am met with is a long form asking for personal identification, you've lost me as a potential customer. I've moved on before your form has finished rendering.

Much better I think to create a session ID and allow me to 'bookmark' any products I see of interest at the server end--usually described as "Add to your shopping trolley/basket/cart", and not actually ask for identification until such times as I opt to 'Go to the checkout'. One benefit, apart from allowing browsers to browse without supplying their life history, is that if the visitor never makes it to the checkout, you haven't created records in your DB that will serve no useful purpose other than to clutter it up. Unless you are thinking of using their details for spamming, and your not one of 'those' I'm sure:^).

If, as and when the visitor makes it to the checkout, I think I would personally do the calculations, present the 'Invoice' with the opportunity for changes, deletions etc, and the final tally, and upon confirmation that the user wishes to purchase, hand over to the SLL session to gather (minimal) user information, delivery address and CC details etc.

From my perspective as a consumer/customer, it would be even better if the actual financial information was gathered and processed by a third party, specialising in such transactions (but not Passport!), that would--once the details have been processed--simply pass back to the originating site, a confirmation of purchase and a delivery address. That way, I only have to provide my details to once, and can use my electronic wallet (for want of a better description) to make purchases at a range of sites without having to re-supply my personal details. Less frustration for me as a consumer. Less risk as my details are only kept at one place specialising in secure transactions. Less risk to you the site owner as you are less liable to be held liable if something goes wrong, as you never had any details for anyone to steal.

That's how I would like things to work. I just hope the guys working on the open alternative to Passport get their act together and make it work.