We also ought to clear the session cookie if it cannot be decoded - just like we do now for the granting cookie. If I have a bogus session cookie (am using post method) I get infinite loop through the login server due to the bogus session never getting cleared. Jim