Never seen this happen before if setup in Admin to use SSL. What version you running?

I tried your checkout page, https://teamteeshop.com/checkout/checkout.aspx. I then tried changing the HTTPS to HTTP, i.e. http://teamteeshop.com/checkout/checkout.aspx. It redirected to HTTPS properly for me when using all of my browsers - Google Chrome, Mozilla FireFox and MSIE8.

Could there be certain browsers or Mac or other clients where the issue happens?

Thanks for the replies. That's the crazy part - that it works for me on all browsers but I've watched it happen (not redirect) on other people's machines. Are you guys thinking this could be a setting(s) within the browser? Is there a way to force the use of https or prompt the user? I'm not sure why it would work on some and not others without any kind of prompt.

What kind of settings could I look into for the browser - cookies, SSL, etc?

Edit: Just wanted to also add that those folks who aren't getting redirected to an https page on TeamTeeShop.com are getting redirected to https pages on other stores like edhardyshop.com. So that just really baffles me that it would work on most every other site except ours. Do you guys happen to know where this redirect occurs? Would it be on the Cart.aspx or Checkout.aspx files?

It just doesn't feel like a browser issue to me b/c people are able to redirect to https pages on other sites just fine.

I would think that if the SSL handshake is not successful that it would prompt the user in some way, but again I know understand much about SSL.

Unfortunately I don't understand the BVC code and I'm not sure where it's currently setting the redirect, so I don't know how to force it to always use https. I see a Checkout.aspx file in the BVModules/Checkouts/One Page Checkout dir and then there is a Checkout.master file in the dir for the Sports Shop theme. I'm not sure how either of these files are being used.

If you check your /App_Code/BaseStorePage.vb, you'll find SSL redirects take place from there. You could always add log messages there, to the website log that you can view in the store admin area. Perhaps you could log there if the SSL redirect logic was false. Perhaps logging the visitor's HTTP headers might be a starting point to diagnose the issue.

Hmmm, thought we had already been through this www thing.
Nice nice btw. Looks like it has good potential.

All, thank you very much for the help - it's greatly appreciated. I guess this is a known issue? I searched this forum with no luck in finding this answer but hopefully this will help someone else down the road.

Wallace, thanks for the explanation of the www vs non-www. I ended up installing the tool in the link below to handle the redirect and it seems to be working so thanks again!
http://www.iis.net/download/URLRewrite

Hmm, I was thinking more about different TLDs. My client has a .com and a .ca domain. We're on the fence about having the site run on both .ca and .com, versus redirecting all requests to .com. BV's licensing allows a single license to run on multiple TLD's since the licensing is per store, providing both TLDs are hosted on the same server / database. It might be a nice idea to have support in the BV admin area to support SSL across different TLDs for this type of scenario.

I'm still debating, I don't have a strong opinion either way since both approaches have their pros and cons. Thoughts on that?

The reason that BV 5 doesn't support www. and non-www. domains for SSL redirect is that it was designed to work with shared SSL certificates. In past years it was not uncommon to have www.domain.com and then domain.securehost.com or something similar for the SSL side.

So, the code in BV that checks to switch between domain names does an exact match on the address in the URL. This prevents it from doing an endless loop of redirects when going from non-SSL to SSL. If the domain name matches the site root setting it can redirect to the site secure root.

There are other ways to handle this and BV 6 will support multiple non-secure domain names but BV 5 requires an exact match.

As Matt pointed out, it is best practice for SEO to redirect all matching domains to a single name. For example, if you visit http://bvsoftware.com you are 301 redirected to http://www.bvsoftware.com. This keeps Google from indexing two URLs for the same homepage of our site. I highly recommend that you consider this for your stores too.