hi hugh, also, i would probably use the j2ee container user to log the user into the repository with a login module that accept credentials without a password. maybe depending on your application you can even use the j2ee user id as your identifier for the session, which would allow you to avoid the "session id" all together.
regards, david
