>That's probably what I'll do ultimately, I was just wondering if there was some pre-built mechanism in Mere Mortals that already does this. I guess it's another of those areas of the MM architecture that's not well documented yet.
>
>Here's another question I have that you might be able to give me advice on (thanks for such a quick response, by the way). In my system the User Id is critical to certain operations - if I store it in Session and the session expires, how do I recover from that?
>
>If I have my web app set up for Forms authentication, does .Net automatically navigate to my logon page when the Session has expired, or is the authentication timeout setting completely separate from the Session timeout settings?

Some of this is updated in the next version of the framework. For example, when your session expires it can automatically redirect your user to a login page on the next hit. It should make this kind of stuff a lot nicer to deal with.

If you are using the built-in forms authentication in ASP.NET, there is an option you can set in the web.config file to specify where the user should get redirected to when the form authentication expires. Sorry, I don't have the specific option handy - I looked at that a long time ago and decided to "roll my own" security instead of using what was included in ASP.NET. Take a look at http://samples.gotdotnet.com - I'm pretty sure I grabbed samples from there.

Forms authentication timeout and session timeouts are independent of one another (which is kind of weird).

You need to ensure that the session doesn't expire if you don't want to lose the user ID. By default, they'll timeout at 20 minutes after the last time the user has hit the website. I've found, in most of my web applications, that that isn't enough time. I normally bump it up to an hour (via Session.Timeout = 60; ).