• what was the one and only login cookie in 2.5 is now limited to /wp-admin
• there’s a copy of that one that’s just limited to /wp-content/plugins, for backward compatibility with plugins
• there’s a new cookie that is at COOKIEPATH (which can be defined in your config file), that is checked by calling

  is_user_logged_in()

  (but perhaps this isn’t intended for secure authorization?)

So, it appears the way to go may be to change

auth_redirect()

to

Maybe more to follow on this when I’ve more thoroughly explored it.

The good news is that there’s an action hook, ‘set_auth_cookie’, that gets called whenever the cookies are set, so if the stuff for which you want to authenticate is on the same server but at a different path, you can create a plugin (or maybe use functions.php in your theme?) with something like the following:

The bad news is that if your WordPress install is at example.com/something and you want to use it to authenticate at portal.example.com, you can’t set a cookie for portal.example.com from a script on example.com, so your only choice would be to set a cookie with path / on .example.com (note the leading period), which completely breaks the security added by the separate cookies.

Hopefully, there’ll be a “part 3″ to this wherein I solve this last problem somehow, since that’s the setup I’m dealing with.