you could use an auth routine for your non secured site that checks for the existence of the session and destroys it.

though that may not work as essentially they are different sites

The problem is that I run sessions on my insecure site as well to keep state between the pages, i.e. there are dynamic links that I want kept for the same visitor until they close the browser.

Would it be acceotable to keep changing the session id on the insecure site as well? That way if some moves, after having logged in, from SSL to normal, the session id will keep changing and the old one used to login will no longer be valid?

the thing I don't really understand is why you constantly change the id

you should be able to set up your authentication to not allow session hijacking with out having to swap session ids all the time. Maybe you need to add more criteria to your session such as a time out and maybe even the user's ip address

maybe take a look at this thread
[webmasterworld.com...]

I read somewhere that it was best to keep changing the session ID on every page request for security against hacking even over a SSL connection. Is this not worth it?

I guess the alternative would just be to regenerate a session ID each time the user has to do something to authenticate themselves, e.g. log in, reset password, etc.

There's also some stuff written about AOL changing the user's IP address on every request and multiple computers hiding behind a single IP address (corporate gateway) so that might rule out the IP check?