delete this login
which mostly does what check does and then also deletes the
assoc and the cookie
+
+
+
+----------------------------------------
+
+DECISONS
+clearing cookies does log out?
+no persistent cookie?
+allow read-only post/get distinction?
+
+does not support persistent cookie, as that needs two db entries etc.
+ two cookies complicated api
+
+clearing cookies always logs out
# y n GET r intra-site data request from stale session
# fail
#
- # - y GET n CLEAR COOKIES TO LOGOUT OPTION
+ # -/n y2 GET n cross-site link
+ # but user has cleared cookies, revoke session
+ # show login form
+ #
+ # -/n y2 GET rmuio user has cleared cookies, revoke session
+ # then as for - - GET
#
- # -/n any GET n cross-site link but user not logged in
+ # n any GET n cross-site link but user not logged in
# show login form
#
- # -/n any GET r data request from stale session
+ # n any GET r data request from stale session
# fail
#
# any any GET muoi bug or attack, fail
#
# any - POST bug or xsrf attack, fail
#
- # n/y1 y2 POST r intra-site form submission
+ # n/y1 y2 POST r intra-site form submission
# from session no longer known to browser
# revoke y2
- # show "session interrupted"
+ # show "session interrupted" login form
# n/y1 y2 POST m intra-site js operation
# from session no longer known to browser
# revoke y2