Apache::Ticket* in the Eagle Book has a very cool approach to this sort of stuff. The basic approach is to redirect http requests without a 'ticket' (param/cookie/whatever) to a auth server that performs some sort of auth on the user, creates a crypto ticket with the user's name, remote ip, timestamp, contained in it and redirects the user back to the orig server. So the client now has a ticket that can be used in every request and the original server can read and validate it using the auth servers public key. iirc.... :)