some webservers are configured to mirror the whole site, so you can get every page over http or https, depending on what you prefer, or how the webbrowser sends them around. https is secure, but a bit slower and it puts more strain on your hardware.

so you might implement your site and shop as usual, but decide to put everything from the cart to the checkout, payment and so on under https. to accomplish this, all links to the shopping cart are absolute and prefixed with https:// instead of http://. now, if people click on the shopping cart icon, they’re transfered to the secure version, and because all links from there on are relative again, they stay there.

but! they might replace the https with http manually, or go on the unencrypted version using a malicious link, etc.

in this case, you probably might want to check if your script was called over https (_SERVER["SERVER_PROTOCOL"], afaik), and deny the execution if not (good practice). or issue a redirect to the secure site.

on a side note: https is not using ssl exclusivley anymore, tls (the successor to ssl, see rfc2818) is more modern

rule of thumb: users should have the choice if they want http or https in noncritical environments, but forced to use https on the critical parts of your site (login/cart/payment/…) to prevent malicious attacks.