...
[10:40:29 CST(-0600)] <chilversc_> which can be annoying if the page from app2 supports both anonymous and authenticated users but shows customized content to authenticated users
[10:42:56 CST(-0600)] <chilversc_> one thought I had for this was to set a cookie that was just a marker, so then app2 sees the cookie exists, sees it does not have its own session (via what ever means the app uses for this) so performs the standard authentication handshake