Vsevolod Ilyushchenko wrote:
> Yes, but I still should be able to propely handle people who go to any of > the protected sites first thing in the morning. I don't think I can get > away with only exit-point authentication that you propose. If the > entrance-point authentication works well, there should be no need for this > additional level. (Please correct me if I am wrong. :) Do cookies get set if returned via an image? If so, once the user has logged in, you could return a page with invisible images on it, where each image is from each site that the user needs to be authenticated to. Each image is unimportant. The important bit is that an authentication cookie is set for each domain the image is returned from. This leaves one tricky point as far as I can see: you need to securely identify which image request comes from each user. The obvious/easy way would be to put some sort of unique identifier in the path or query string, but this may not be secure enough for your purposes. Oh yeah, it'd break if they didn't have images on. :-( Steve -- Steve Piner Web Applications Developer Marketview Limited http://www.marketview.co.nz