At the moment I'm playing with this idea: - Update the password form to poke the SSL admin URL using AJAX - Add mapped domain to allowed origins - Return the cookie settings - Set the cookie in AJAX callback and refresh the screen Obviously that doesn't have a non js fallback..