A shopping cart should be handled as a resource, and products added/removed just as you may add or remove associations between any two resources in REST. Instead of the client saying "now purchase the items in my cart" the client should say "now purchase the items in cart #187462". Assign each cart a URL, and have your operations act upon that resource instead of some product array tied to the current session.
An alternative which is also stateless is to have the client track all items in the cart, but this means the user cannot leave the cart (abandon it) on one computer and resume shopping on another device.
Addendum: Remember that permissions/access control can be assigned independently. Sure, each cart has a URL, but be sure to make it so that the logged in user can only see cart resources that they have created.