cookie user assoc id hidden form parameter user assoc id same or different ? unused session expiry ? logged in user associations database user login details form user authentication form user is abstract ? string suitable for database not interpreted by session code app needs to first check is it a login form submission if so check details if ok then call create new login assoc(username) which returns a cookie to set check function checks for assoc id in cookie and form if assoc id in cookie and op is GET, allow otherwise demand in form too checks for timeout too of course if failure, app must show login form app needs to check for logout button submission if so then call delete this login which mostly does what check does and then also deletes the assoc and the cookie ---------------------------------------- DECISONS clearing cookies does log out? no persistent cookie? allow read-only post/get distinction? does not support persistent cookie, as that needs two db entries etc. two cookies complicated api clearing cookies always logs out