9 unused session expiry ?
12 logged in user associations database
14 user login details form
16 user authentication form
19 string suitable for database
20 not interpreted by session code
24 app needs to first check is it a login form submission
27 create new login assoc(username)
28 which returns a cookie to set
31 checks for assoc id in cookie and form
32 if assoc id in cookie and op is GET, allow
33 otherwise demand in form too
34 checks for timeout too of course
36 if failure, app must show login form
38 app needs to check for logout button submission
41 which mostly does what check does and then also deletes the