We implemented a solution that combines the features mentioned here, along with a table sub-struture and temporary login tokens.

The user is detected, we drill into the transactional data itself to determine if they should have access (as our security model is quite complex with multiple user roles and such), we enter a token along with userID into a table and that is the validation key.

It is all sproc driven and adds little overhead to the reports themselves once established.

The URL backtracking mentioned above is a key factor and is why we introduced the tokens.

If not the same user, and not within a 30 min period, the URL itself actually expires. (but easily regenerated in the background for any valid user on return - if needed)

There is some setup and coding, but it's a nice combination of the different topics mentioned in this article.

Good reading - thanks !