diff --git a/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/LoginServlet.java b/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/LoginServlet.java
index e41f01817445947ec685ae08d934590998f29df4..6c4a1379b869cb3eec8697b0a933a50bbe08c96b 100755
--- a/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/LoginServlet.java
+++ b/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/LoginServlet.java
@@ -69,10 +69,14 @@
 package ca.nrc.cadc.ac.server.web;
 
 import java.io.IOException;
+import java.net.URI;
+import java.net.URISyntaxException;
 import java.security.AccessControlException;
 import java.security.Principal;
 import java.security.PrivilegedActionException;
 import java.security.PrivilegedExceptionAction;
+import java.util.Calendar;
+import java.util.GregorianCalendar;
 
 import javax.security.auth.Subject;
 import javax.servlet.ServletConfig;
@@ -92,8 +96,10 @@ import ca.nrc.cadc.ac.server.PluginFactory;
 import ca.nrc.cadc.ac.server.UserPersistence;
 import ca.nrc.cadc.ac.server.ldap.LdapGroupPersistence;
 import ca.nrc.cadc.auth.AuthenticatorImpl;
+import ca.nrc.cadc.auth.DelegationToken;
 import ca.nrc.cadc.auth.HttpPrincipal;
 import ca.nrc.cadc.auth.SSOCookieManager;
+import ca.nrc.cadc.date.DateUtil;
 import ca.nrc.cadc.log.ServletLogInfo;
 import ca.nrc.cadc.net.TransientException;
 import ca.nrc.cadc.util.StringUtil;
@@ -152,6 +158,7 @@ public class LoginServlet<T extends Principal> extends HttpServlet
             log.info(logInfo.start());
             String userID = request.getParameter("username");
             String password = request.getParameter("password");
+            String scope = request.getParameter("scope");
 
             if (userID == null || userID.length() == 0)
                 throw new IllegalArgumentException("Missing username");
@@ -174,9 +181,31 @@ public class LoginServlet<T extends Principal> extends HttpServlet
                 (!StringUtil.hasText(proxyUser) &&
                         userPersistence.doLogin(userID, password)))
             {
-        	    String token =
-        	            new SSOCookieManager().generate(
-        	                    new HttpPrincipal(userID, proxyUser));
+                String token = null;
+                HttpPrincipal p = new HttpPrincipal(userID, proxyUser);
+                if (scope != null)
+                {
+                    // This cookie will be scope to a certain URI,
+                    // such as a VOSpace node
+                    URI uri = null;
+                    try
+                    {
+                        uri = new URI(scope);
+                    }
+                    catch (URISyntaxException e)
+                    {
+                        throw new IllegalArgumentException("Invalid scope: " + scope);
+                    }
+
+                    final Calendar expiryDate = new GregorianCalendar(DateUtil.UTC);
+                    expiryDate.add(Calendar.HOUR, SSOCookieManager.SSO_COOKIE_LIFETIME_HOURS);
+                    DelegationToken dt = new DelegationToken(p, uri, expiryDate.getTime());
+                    token = DelegationToken.format(dt);
+                }
+                else
+                {
+                    token = new SSOCookieManager().generate(p);
+                }
         	    response.setContentType(CONTENT_TYPE);
         	    response.setContentLength(token.length());
         	    response.getWriter().write(token);