9 unused session expiry ?
12 logged in user associations database
14 user login details form
16 user authentication form
19 string suitable for database
20 not interpreted by session code
24 app needs to first check is it a login form submission
27 create new login assoc(username)
28 which returns a cookie to set
31 checks for assoc id in cookie and form
32 if assoc id in cookie and op is GET, allow
33 otherwise demand in form too
34 checks for timeout too of course
36 if failure, app must show login form
38 app needs to check for logout button submission
41 which mostly does what check does and then also deletes the
46 ----------------------------------------
49 clearing cookies does log out?
51 allow read-only post/get distinction?
53 does not support persistent cookie, as that needs two db entries etc.
54 two cookies complicated api
56 clearing cookies always logs out
59 ----------------------------------------
63 - func to tell whether it's a login form,
64 defaults to password form field
65 - func to check login details
66 - func to tell whether it's a logout form,
67 defaults to logout action form field list
68 - func to tell whether it's programmatic
69 defaults to always false, somewhat poor EH
73 - thing to call right at the beginning,
74 tells app to divert to one of
82 - version of the above which deals with the request
84 - thing which app must call when mutating
85 (alternatively app must check that method is POST for mutates)
86 (alternatively.2 every GETs is decreed to produce a login form)