Problem: Users who forget to click the "Done" button or close the browser before leaving. Solution 1: Throw away cookies as soon as the user leaves the domain. Problem: Not all webmail links open in a new window. Solution 2: Remember a hash of their webmail password and require them to re-enter it to continue to use their cookie. With this approach, only cookies on password-protected sites are protected. Problem: How would you make the dialog not spoofable?