If I am understanding this correctly, you want to do something like authenticate someone, if the auth is returned true then invoke window.open. Really all you need to do is create a JS function that runs your security call and if it is true or validates to what you want, then have it run window.open. However I would stay away from doing security and authentication calls in JS as it is really to do JS insertion and hacking, as well as read the code and get the URL that way. The most secure thing to do, is to perform all of the authentication/security servierside and then return the window.open call through a XMLHttpRequest that will execute JS on completion of the call. This I believe can be done semi-easily using something like Prototype to handle all of the XHR requests