X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=cgi-auth-flexible.git;a=blobdiff_plain;f=DESIGN;h=3a172c7ced94dcb91e647d9df1e4b2c6ce103f61;hp=33ea59251590030bb634021edb4cb0bcf0922955;hb=53d4ed13ee06c55dad8337aa556eb631afddd8ae;hpb=f3fce9867ccbb9b591c682d699009af6ceb1c341

diff --git a/DESIGN b/DESIGN
index 33ea592..3a172c7 100644
--- a/DESIGN
+++ b/DESIGN
@@ -40,3 +40,47 @@ app needs to check for logout button submission
   delete this login
     which mostly does what check does and then also deletes the
     assoc and the cookie
+
+
+
+----------------------------------------
+
+DECISONS
+clearing cookies does log out?
+no persistent cookie?
+allow read-only post/get distinction?
+
+does not support persistent cookie, as that needs two db entries etc.
+ two cookies complicated api
+
+clearing cookies always logs out
+
+
+----------------------------------------
+
+app supplies
+
+ - func to tell whether it's a login form,
+      defaults to password form field
+ - func to check login details
+ - func to tell whether it's a logout form,
+      defaults to logout action form field list
+ - func to tell whether it's programmatic
+      defaults to always false, somewhat poor EH
+
+we supply
+
+ - thing to call right at the beginning,
+   tells app to divert to one of
+      just logged out page
+      cookies disabled page
+      stale form login form
+      login form
+      "session interrupted"
+      a redirect
+
+ - version of the above which deals with the request
+
+ - thing which app must call when mutating
+      (alternatively app must check that method is POST for mutates)
+      (alternatively.2 every GETs is decreed to produce a login form)