+
+
+
+----------------------------------------
+
+DECISONS
+clearing cookies does log out?
+no persistent cookie?
+allow read-only post/get distinction?
+
+does not support persistent cookie, as that needs two db entries etc.
+ two cookies complicated api
+
+clearing cookies always logs out
+
+
+----------------------------------------
+
+app supplies
+
+ - func to tell whether it's a login form,
+ defaults to password form field
+ - func to check login details
+ - func to tell whether it's a logout form,
+ defaults to logout action form field list
+ - func to tell whether it's programmatic
+ defaults to always false, somewhat poor EH
+
+we supply
+
+ - thing to call right at the beginning,
+ tells app to divert to one of
+ just logged out page
+ cookies disabled page
+ stale form login form
+ login form
+ "session interrupted"
+ a redirect
+
+ - version of the above which deals with the request
+
+ - thing which app must call when mutating
+ (alternatively app must check that method is POST for mutates)
+ (alternatively.2 every GETs is decreed to produce a login form)