myndzi: thanks for your feedback about my lack of secure login (: just to make sure we'r on the same page. i use browserID - i make a post to the browserID server and get back the user's email. i then add a cookie with loggedin=true and send back the email to the client and save the email in a js variable on the client. u'r saying it's not secure since evil developer can call my api with similar cookie?