diff --git a/sys/vane/light.hoon b/sys/vane/light.hoon
index f73c57bc23..1771146780 100644
--- a/sys/vane/light.hoon
+++ b/sys/vane/light.hoon
@@ -361,6 +361,8 @@
     =.  action.record  u.action
     =.  connections.state  (~(put by connections.state) duct record)
     ::
+    =/  authenticated  (request-is-logged-in:authentication http-request)
+    ::
     ?-    -.u.action
     ::
         %gen
@@ -381,7 +383,7 @@
       ::  %handle-http-request type.
       ::
       ^-  cush:gall
-      [app.u.action %poke %handle-http-request !>([secure address http-request])]
+      [app.u.action %poke %handle-http-request !>([authenticated secure address http-request])]
     ::
         %login-handler
       (handle-request:authentication secure address http-request)
@@ -486,11 +488,38 @@
       ==
     ::  +request-is-logged-in: checks to see if the request is authenticated
     ::
+    ::    We are considered logged in if this http-request has an urbauth
+    ::    Cookie which is not expired.
+    ::
     ++  request-is-logged-in
       |=  =http-request
       ^-  ?
+      ::  are there cookies passed with this request?
       ::
-      %.n
+      ::    TODO: In HTTP2, the client is allowed to put multiple 'Cookie'
+      ::    headers.
+      ::
+      ?~  cookie-header=(get-header 'Cookie' header-list.http-request)
+        %.n
+      ::  is the cookie line is valid?
+      ::
+      ?~  cookies=(rush u.cookie-header cock:de-purl:html)
+        %.n
+      ::  is there an urbauth cookie?
+      ::
+      ?~  urbauth=(get-header 'urbauth' u.cookies)
+        %.n
+      ::  is this formatted like a valid session cookie?
+      ::
+      ?~  session-id=(rush u.urbauth ;~(pfix (jest '0v') viz:ag))
+        %.n
+      ::  is this a session that we know about?
+      ::
+      ?~  session=(~(get by sessions.authentication-state.state) u.session-id)
+        %.n
+      ::  is this session still valid?
+      ::
+      (lte now expiry-time.u.session)
     ::  +code: returns the same as |code
     ::
     ::    This has the problem where the signature for sky vs sley.
diff --git a/tests/sys/vane/light.hoon b/tests/sys/vane/light.hoon
index 037415dad3..69d53000b5 100644
--- a/tests/sys/vane/light.hoon
+++ b/tests/sys/vane/light.hoon
@@ -249,7 +249,7 @@
           :+  /run-app/app1  [~nul ~nul]
               ^-  cush:gall
               :*  %app1  %poke  %handle-http-request
-                  !>([%.n [%ipv4 .192.168.1.1] ['GET' '/' ~ ~]])
+                  !>([%.n %.n [%ipv4 .192.168.1.1] ['GET' '/' ~ ~]])
               ==
           card
     ==
@@ -332,7 +332,7 @@
           :+  /run-app/app1  [~nul ~nul]
               ^-  cush:gall
               :*  %app1  %poke  %handle-http-request
-                  !>([%.n [%ipv4 .192.168.1.1] ['GET' '/' ~ ~]])
+                  !>([%.n %.n [%ipv4 .192.168.1.1] ['GET' '/' ~ ~]])
               ==
           card
     ==
@@ -436,7 +436,7 @@
           :+  /run-app/app1  [~nul ~nul]
               ^-  cush:gall
               :*  %app1  %poke  %handle-http-request
-                  !>([%.n [%ipv4 .192.168.1.1] ['GET' '/~landscape/inner-path' ~ ~]])
+                  !>([%.n %.n [%ipv4 .192.168.1.1] ['GET' '/~landscape/inner-path' ~ ~]])
               ==
           card
     ==
@@ -463,14 +463,14 @@
   =^  results5  light-gate
     %-  light-call  :*
       light-gate
-      now=~1111.1.2
+      now=~1111.1.5
       scry=*sley
       ^=  call-args
         :*  duct=~[/http-blah]  ~
             %inbound-request
             %.n
             [%ipv4 .192.168.1.1]
-            ['GET' '/~/login?redirect=/~landscape' ~ ~]
+            ['GET' '/~/login?redirect=/~landscape/inner-path' ~ ~]
         ==
       ^=  expected-moves
         ^-  (list move:light-gate)
@@ -480,7 +480,7 @@
                 %start
                 200
                 ['Content-Type' 'text/html']~
-                [~ (login-page:light-gate `'/~landscape')]
+                [~ (login-page:light-gate `'/~landscape/inner-path')]
                 complete=%.y
         ==  ==
     ==
@@ -489,7 +489,7 @@
   =^  results6  light-gate
     %-  light-call  :*
       light-gate
-      now=~1111.1.3
+      now=~1111.1.6
       scry=*sley
       ^=  call-args
         :*  duct=~[/http-blah]  ~
@@ -518,6 +518,48 @@
                 complete=%.y
         ==  ==
     ==
+  ::  going back to the original url will acknowledge the authentication cookie
+  ::
+  =^  results7  light-gate
+    %-  light-call-with-comparator  :*
+      light-gate
+      now=~1111.1.6..1.0.0
+      scry=*sley
+      ^=  call-args
+        ^-  [=duct type=* wrapped-task=(hobo task:able:light-gate)]
+        :*  duct=~[/http-blah]  ~
+            %inbound-request
+            %.n
+            [%ipv4 .192.168.1.1]
+            'GET'
+            '/~landscape/inner-path'
+            ['Cookie' 'urbauth=0v3.q0p7t.mlkkq.cqtto.p0nvi.2ieea']~
+            ~
+        ==
+      ^=  comparator
+        |=  moves=(list move:light-gate)
+        ^-  tang
+        ::
+        ?.  ?=([* ~] moves)
+          [%leaf "wrong number of moves: {<(lent moves)>}"]~
+        ::
+        ::
+        =/  move=move:light-gate                              i.moves
+        =/  =duct                                             duct.move
+        =/  card=(wind note:light-gate gift:able:light-gate)  card.move
+        ::
+        %+  weld
+          (expect-eq !>(~[/http-blah]) !>(duct))
+        ::  expect authenticated=%.y in the handle below
+        ::
+        %+  expect-gall-deal
+          :+  /run-app/app1  [~nul ~nul]
+              ^-  cush:gall
+              :*  %app1  %poke  %handle-http-request
+                  !>([%.y %.n [%ipv4 .192.168.1.1] ['GET' '/~landscape/inner-path' ~ ~]])
+              ==
+          card
+    ==
   ::
   ;:  weld
     results1