Correspondence of functions: yes, I agree that your functions are equivalent. And yes, the function I proposed would work roughly like ad_maybe_redirect_for_registration. There would be subtle differences if we authenticated the person by their client certificate, and the process of redirecting would be programmable so that we could send them off to CAS or a subsite-specific URL. And yes, you guessed the program flow, sorry if I glossed over that (side note: *everything* in ASP.NET works this way, so it has a way of creeping into one's thinking).
Security: no arguments; I worry about giving people so much rope to hang themselves with, but better to build an imperfect system than no system at all.
