I have an application that relies heavily on web services. In addition to a username and password sent up via HTTP to authenticate the caller, I would like to pass an additional session identifier to be compared with credentials on the server side. This session identifier will only be disclosed once a more involved authentication process occurs.

Does anyone have any suggestions on the best approach for handling this?