(Also, when they re-login, if you've kept the expired session around, you can drop them back where they were).
A trick I used to do with ASP (yeah, yeah, I know...) was to have my session management and authentication handled inline with the page as an include -- much like a <dtml-var>. If the user didn't have a session or their session had expired, I'd generate a login form, create hidden fields for any POSTed items, and terminate the render there. When they logged in, they'd go straight back to where they were and continue what they were doing. The alternative would be spending a lot of time composing some kind of posting, only to have all the effort thrown away when you posted and got redirected to the login form because your session had expired. Particularly with one of the popular browsers wiping the original form's contents when you hit the back button, handling things politely was a must. Regards, Garth. -- <gtk@well.com>