Personally I'm from the "keep it all in one window" school,
although I can see the attractiveness of placing short
self-contained interactions in a popup window.
You can avoid the "clicked in the main window and now I've lost
the popup" situation by using IE's window.showModalDialog() to
open a window that will hold focus untill it is closed, if you're
willing to tie yourself to IE... I presume the same behaviour can
be obtained with window.setZOptions() or onBlur="focus()" type
There are 3 solutions I can see to your particular requirement,
none of which are particularly apealing to me.
Given that opening a new window for the login sequence can be
triggered by a) clicking on a link with an appropriate onClick
handler or target attribute, or b) an onLoad handler in a page -
a) can be achieved by ensuring every link presented to the user
has been modified to do the right thing (open login popup) if the
user doesn't have correct privileges to view the target page. The
general way to do this would be to give the request processor or
templating system knowledge of what pages are potentially
restricted and have it/them rewrite links on the fly in served
pages, but it'd probably be easier to manually go through every
page that might potentially link to restricted content and add
permission-checking logic there (I wouldn't want to maintain
somethink like that). The problem with both of these aproaches
is you're requiring someone else (individual pages or
RP/templating) to know the authorization status of every page in
the site instead of allowing individual pages to make up their
own minds when actually loaded.
b) allows you to keep privilege information in a page it affects
instead of pages that link to it, but you've lost the interaction
advantage of popping up a window saying "you need to login to
do that [OK] [Cancel]" and allowing a user to not follow the link.
Your interaction is then exactly the same as the standard ACS
process, and the popup gains you nothing in useability, so why