+ $nassoc = $qassoc;
+ $nmutate = 1;
+ } else {
+ # authentication is by cookie
+ # the cookie suffices for read-only GET requests
+ # for mutating and non-GET requests we require hidden param too
+ my $cassoc = $r->_cm('get_cookie');
+ return undef unless defined $cassoc;
+ $nassoc = $cassoc;
+ if (defined $qassoc && $qassoc eq $cassoc) {
+ $nmutate = 1;
+ } else {
+ return undef unless $r->{S}{promise_check_mutate};
+ return undef unless $r->_cm('get_method') eq 'GET';
+ $nmutate = 0;
+ }