I always look to 37signals when I need design ideas or looking for precedence for how to solve certain problems. My problem this time was: how to gracefully handle your Ajax calls failing due to your login session expiring? I looked at tadalist. To my surprise, even after I deleted the session cookie, modifying the list still worked. I looked at the request headers and it seemed like they simply weren't securing the app at all. I wrote a quick socket program to verify this, and it was true: any one who has the ID of your list and/or items can make modifications to them. I guess they just felt this app is not mission critical enough to worry about this kind of stuff. What about the todolist in basecamp? Hmm... let me check... result: they don't really handle this gracefully in Basecamp. If you try to check off a list without auth, it just hangs there foreever. I guess I'll have to creative and come up with my own solution here.