fixes

[cgi-auth-flexible.git] / DESIGN

cookie
  user assoc id

hidden form parameter
  user assoc id

same or different ?

unused session expiry ?


logged in user associations database

user login details form

user authentication form

user is abstract ?
  string suitable for database
  not interpreted by session code



app needs to first check is it a login form submission
if so check details
if ok then call
  create new login assoc(username)
  which returns a cookie to set

check function
  checks for assoc id in cookie and form
  if assoc id in cookie and op is GET, allow
  otherwise demand in form too
  checks for timeout too of course

if failure, app must show login form

app needs to check for logout button submission
  if so then call
  delete this login
    which mostly does what check does and then also deletes the
    assoc and the cookie



----------------------------------------

DECISONS
clearing cookies does log out?
no persistent cookie?
allow read-only post/get distinction?

does not support persistent cookie, as that needs two db entries etc.
 two cookies complicated api

clearing cookies always logs out


----------------------------------------

app supplies

 - func to tell whether it's a login form,
      defaults to password form field
 - func to check login details
 - func to tell whether it's a logout form,
      defaults to logout action form field list
 - func to tell whether it's programmatic
      defaults to always false, somewhat poor EH

we supply

 - thing to call right at the beginning,
   tells app to divert to one of
      just logged out page
      cookies disabled page
      stale form login form
      login form
      "session interrupted"
      a redirect

 - version of the above which deals with the request

 - thing which app must call when mutating
      (alternatively app must check that method is POST for mutates)
      (alternatively.2 every GETs is decreed to produce a login form)