Sounds to me like your Javascript should be smarter? ie it should ask top to open the full url including any optional message.
Why not include this in your real login page: <SCRIPT LANGUAGE="JavaScript" TYPE="text/javascript"> <!-- // Frame buster if ( top.location != document.location ) { top.location = document.location; } // --> </SCRIPT> and your authentication should do a server redirect to something like /login?message=Inactivity+timeout and the page can taint-check and display message I no longer use this simple framebuster, as most of my websites use multiple windows, so I have to cope with /login being opened in a child window, and/or a frame. For this I use a home-brewed openWindow() function and a window naming scheme. Regards Jeff PS I don't have much mod_perl yet, so excuse me if I err. There may be a better mod_perilsh way. -----Original Message----- From: Fran Fabrizio [mailto:[EMAIL PROTECTED]] Sent: 17 April 2002 23:01 To: [EMAIL PROTECTED] Subject: framesets/AuthCookie question I'm using AuthCookie and as some of you know, if it determines your session to be invalid it redirects to a login page instead by way of a FORBIDDEN response coupled with a custom error page. My app has a frameset (navigation on the left, and two data frames on the right). I know the evils of framesets, but in our case, it's the best way to present our particular data. What ends up happening is that if the session expires, AuthCookie displays the login page inside whatever frameset you were clicking in, while the other two remain on whatever they were on previously. I made a quick solution...I told AuthCookie that my login page was login.html. login.html had javascript which called /real/login (a mod_perl handler) and targeted it to the top frame. All is well and now the entire browser window gets cleared and replaced with the login page. However...I then thought it'd be neat to include on the /real/login page a message to tell them how they got there ("Your session has expired", "Your account has logged on from another location", "Invalid username/password combination", whatever...). At first I thought I could accomplish this by simply doing $r->notes('LOGINFAILMSG' => 'Your session has expired') if AuthCookie detected it to be thus, and then in my handler I could retrieve it and display it. However, it's failing of course because I added the extra redirection of the login.html w/ the javascript, which makes a round trip to the client and back, so it looks like a brand new request to mod_perl, thus, no notes() any more. Is there a solution to breaking out of the frameset AND propagating the reason for the logout to the /real/login page? I'd appreciate and and all ideas. Thanks! -Fran