I've done something like this before. User logs into a non OpenACS system. The system gets the creds and then does a backdoor login to the OpenACS system to get the cookie.
Then the user can be redirected with the cookie as a form var, and as long as it is a valid session, log them in without email/password. (Also, the user doesn't even need to be aware of the email/password or their account on OpenACS, these could also be established by the external system.)
But a webservice isn't accessed via a browser, so it is easy to get the cookie(s) and paste them in.
For instance, TWiST does this with the browser interface. If you visit an operation with a GET, it provides a form and shows you what a request looks like, and it includes the cookies you just sent. Fill in the form and send. The cookies are copied and passed on to the webservice call. In response, you get a copy of the sent request and the received response. Essentially it translates HTTP/GET into a SOAP request.
So you could locate the webservice in an admin directory as a very simple way of checking access. User access is more difficult, as the webservice would then be responsible for doing a permission check.
