wip some decisions

[cgi-auth-flexible.git] / cgi-auth-hybrid.pm

diff --git a/cgi-auth-hybrid.pm b/cgi-auth-hybrid.pm
index f7b48aa1ef4ccbd96ff156a66036202196349221..77454c229b56b52399c630392e31453dc94c7a13 100644 (file)
--- a/cgi-auth-hybrid.pm
+++ b/cgi-auth-hybrid.pm
@@ -191,12 +191,17 @@ sub _check_core ($) {
     #  y   n   GET    r       intra-site data request from stale session
     #                           fail
     #
-    #  -   y   GET   n           CLEAR COOKIES TO LOGOUT OPTION
+    #  -/n y2  GET   n        cross-site link
+    #                         but user has cleared cookies, revoke session
+    #                           show login form
+    #
+    #  -/n y2  GET    rmuio   user has cleared cookies, revoke session
+    #                           then as for   - - GET
     #
-    #  -/n any GET   n        cross-site link but user not logged in
+    #  n   any GET   n        cross-site link but user not logged in
     #                           show login form
     #
-    #  -/n any GET    r       data request from stale session
+    #  n   any GET    r       data request from stale session
     #                           fail
     #
     #  any any GET     muoi   bug or attack, fail
@@ -207,10 +212,10 @@ sub _check_core ($) {
     #
     #  any -   POST           bug or xsrf attack, fail
     #
-    #  n/y1 y2 POST  r        intra-site form submission
+    #  n/y1 y2 POST   r       intra-site form submission
     #                           from session no longer known to browser
     #                           revoke y2
-    #                           show "session interrupted"
+    #                           show "session interrupted" login form
     #  n/y1 y2 POST    m      intra-site js operation
     #                           from session no longer known to browser
     #                           revoke y2