Hi Simon. We've done something like that, here some code that will help you out. The key is that the request handler has to add a header for location redirect and set session cookies. Here a relevant substract from that code, you'll have to change it a bit:
public void processRequest(IMxRuntimeRequest request, IMxRuntimeResponse response,
String arg2) throws Exception {
String userName = request.getParameter("userName");
IContext systemContext = Core.createSystemContext();
ISession newSession = Core.login(userName, ....)
response.addCookie(XAS_SESSION_ID, newSession.getId().toString(),"/" ,"" ,-1 );
response.addCookie(XAS_ID, "0." + Core.getXASId(),"/" ,"" ,-1);
response.setStatus(IMxRuntimeResponse.SEE_OTHER);
response.addHeader("location", "../index.html");
}