>I have the user login then I store his credentials to a session variable. On evey method call, I pass in his credentials. If he somehow bypasses the login screen, the userid parms will be empty and he is redirected back to login screen. Works well, but there is probaly a more elegent way to do it.
You're doing that without requiring a SOAP header on the client side?
If you benefit of a session variable, I assume you are using low level API. When I do that, I get a new session ID for every hit. How are you accomplishing that?