Is it ok to have http and https requests point to the same directory such as var/www/? It seems like it would be alright since when you're say authenticating a user you can just make sure to call https instead of http. However I can see how a malicious user could use javascript to change the https url to a http url. If it's best to split them between two directories any recommendations on how to do this with a framework since you would have to duplicate a lot of code between the directories?
I suppose it would depend on your setup, but most configurations I've seen point them to the same place.
Also, mu:
If you have data that needs to have its confidentiality or integrity (during transport) protected it would seem to me that not even making it capable of being available via an unencrypted protocol would be prudent. Relying on browser behavior to warn the user that they're receiving content via an unencrypted channel is likely to just be ignored anyway.
How you handle this with your particular framework isn't something I can say w/o knowing more. I wouldn't want any duplication of code but, if I had to, I'd probably symlink the relevant directories.