Hi Iuri,
In my experience this has worked without an issue. I had a static site on one domain send "add to cart" requests on another domain and there were no issues like this.
Are both sites using OpenACS? If so, is there a way to make sure that any session_id from the first site is not sent to the second. I suspect
ec_create_new_session_if_necessary
is passing a session_id from the first site as a legit session_id for the second, which it should not be.
best wishes,
Ben