A customer would like to expose a single custom Visualforce page built on a Site in an iframe on their own website. To access the data they wish to expose requires the end User to be an authenticated Portal user.

They would like to have the log in component be a part of the parent frame which is supported by ASP.NET and C#. They do NOT want to log in inside the iframe.

I understand how the SOAP call goes out to the SFDC login server and gets the endpoint and sessionId with the Portal Users credentials.

My question is in two parts:

1. How to construct the src attribute of the iframe tag in the parent frame. My guess is something like this:

http://companyName.na#.force.com/apex/pageName?sid=mySessionVar

2. Is using the SessionID exposing my customer to any uneccessary security risks?