-To support external links, pass C<< promise_check_mutate => 1 >> in
-I<settings>, and then call C<< $authreq->check_mutate() >> before
-taking any actions. If the incoming request is not suitable then
-C<< $authreq->check_mutate() >> will call C<die>. If you do this you
-must make sure that you have no mutating C<GET> requests in your
-application - but you shouldn't have any of those anyway.
+To support external links, and C<GET> requests, pass C<<
+promise_check_mutate => 1 >> in I<settings>, and then call C<<
+$authreq->check_mutate() >> before taking any actions. If the
+incoming request is not suitable then C<< $authreq->check_mutate() >>
+will call C<die>. If you do this you must make sure that you have no
+mutating C<GET> requests in your application - but you shouldn't have
+any of those anyway.
+
+=head2 DATA STORAGE
+
+CGI::Auth::Flexible needs to store various information in plain files;
+it does this in the directory specified by the C<dir> parameter.
+
+It also needs to record state relating to user sessions in a database.
+There is no particular reason for this