diff --git a/world/net/http/library.i b/world/net/http/library.i
index 424734f..b3888ed 100644
--- a/world/net/http/library.i
+++ b/world/net/http/library.i
@@ -215,3 +215,11 @@ varargs string make_query_string(mapping params, int sort) {
     }
     return q;
 }
+
+checkToken(mapping query) {
+    string nick;
+    object user;
+    if (nick = query["user"]) user = find_person(nick);
+    if (user && user->validToken(query["token"])) return user;
+    return 0;
+}
diff --git a/world/net/http/login.c b/world/net/http/login.c
index 6f2e817..cdeae5a 100644
--- a/world/net/http/login.c
+++ b/world/net/http/login.c
@@ -15,7 +15,7 @@ htget(prot, query, headers, qs) {
 		t = "_error_invalid_authentication_token";
 	} else {
 		PT(("replacing cookie %O\n", headers["cookie"]))
-		htok3(prot, 0, "Set-Cookie: psyced=\""+ qs +"\";\n");
+		htok3(prot, 0, "Set-Cookie: psyced=\""+ qs +"\"; path=/;\n");
 #if 1
 		// login was supposed to something more than just /surf
 		// but until this is the case, why lose time?
diff --git a/world/net/http/server.c b/world/net/http/server.c
index dbff168..d9b8754 100644
--- a/world/net/http/server.c
+++ b/world/net/http/server.c
@@ -9,8 +9,9 @@
 
 #include "header.i"
 
-volatile string url, file, qs, version;
+volatile string url, file, qs, version, method, body = "";
 volatile mapping headers;
+volatile int length;
 
 // we're using #'closures to point to the functions we're giving the
 // next_input_to(). as i don't want to restructure the whole file, i need
@@ -19,6 +20,7 @@ volatile mapping headers;
 // quite stupid indeed, as they don't got any modifiers or whatever :)
 parse_url(input);
 parse_header(input);
+parse_body(input);
 devNull();
 
 qScheme() { return "html"; }
@@ -67,14 +69,17 @@ parse_wait(null) { // waiting to send my error message here
 
 parse_url(input) {
     P3(("=== SmallHTTP got: %O\n", input))
-    unless (sscanf(input, "GET%t%s%tHTTP/%s", url, version)) {
-	if (sscanf(input, "CONNECT%t%~s")) {
+    unless (sscanf(input, "%s%t%s%tHTTP/%s", method, url, version)) quit();
+    switch (method) {
+	case "CONNECT":
 	    next_input_to(#'parse_wait);
 	    return;
-	} else {
+	case "GET":
+	case "POST":
+	    break;
+	default:
 	    quit();
 	    return;
-	}
     }
 
     version = "HTTP/" + version;
@@ -95,11 +100,25 @@ parse_header(input) {
 
 	next_input_to(#'parse_header);
     } else {
-	process();
-	next_input_to(#'devNull);
+	if (method == "POST" && (length = to_int(headers["content-length"])) &&
+	    headers["content-type"] == "application/x-www-form-urlencoded") {
+	    input_to(#'parse_body, INPUT_IGNORE_BANG | INPUT_CHARMODE | INPUT_NO_TELNET);
+	} else {
+	    process();
+	    next_input_to(#'devNull);
+	}
     }
 }
 
+parse_body(input) {
+    //P4(("parse_body(%O)\n", input))
+    body += input;
+    if (strlen(body) == length)
+	process();
+    else
+	input_to(#'parse_body, INPUT_IGNORE_BANG | INPUT_CHARMODE | INPUT_NO_TELNET);
+}
+
 process() {
     string t, ext;
     mapping query = ([]);
@@ -139,6 +158,9 @@ process() {
     } else {
 	file = url;
     }
+    if (method == "POST" && headers["content-type"] == "application/x-www-form-urlencoded") {
+	query = url_parse_query(query, body);
+    }
     P4(("parsed query: %O\n", query))
     switch (file) {
 case "/favicon.ico":