I have set up a portal of shopping sites. Each merchant we support has their own domain set up. e.g. http://www.some-merchant.com Seeing as they are shopping sites certain pages have to be handled by SSL. Due to SSL limitations only 1 SSL domain +certificate can exist per ip, and we only have 1 ip. Therefore my solution is that for non SSL pages the merchant can use their own unique domain name, but all SSL pages will be redirected to https://merchantname.portal.com and an SSL certificate is setup with a CN of *.portal.com A problem arises when switching between domains like this. The login cookie is lost. Curently i do a redirect between domains and include __ac_name and __ac_password arguments in the URL so the user stays logged in, but this causes the username and password to be displayed in the address bar in plain text. I'd like to secure this more. Is there any way that i could A - Encrypt __ac_name and __ac_password values? or B - Set the cookie for both domains so name and password dont have to be transferred? Hope someone has some idea! Thanks, Dek