holyhttp: thanks for the advice. For some reason even that wasn't working, because we were in a secure area, whereas the session is created in a non-secure area. It was a weird fluke that I've never experienced before, but I think I figured it out.

Because the orders are tied to the session_id, I could check if a completed order already existed with that session_id once the user got back to the cart. If so, then session_regenerate_id(). It works like a charm.

I don't know if this will be any help to anyone in the future. I sure hope no one else has to deal with this.