I think the most likely scenario where this could be an issue and the proposed solution would help is if some of your site is http, but post-login, it changes to https to deal with more secure/personal information and features. I wouldn't tie this session swapping to the login process, but rather make it useable wherever the app developer wants, probably when a protocol change is made. Thoughts? Devon View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4050697#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...