chiark / gitweb /
~ian / cgi-auth-flexible.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e1f4909)
wip some decisions
authorIan Jackson <ijackson@chiark.greenend.org.uk>
Sat, 10 Nov 2012 12:57:19 +0000 (12:57 +0000)
committerIan Jackson <ijackson@chiark.greenend.org.uk>
Sat, 10 Nov 2012 12:57:19 +0000 (12:57 +0000)
DESIGN patch | blob | history
cgi-auth-hybrid.pm patch | blob | history

diff --git a/DESIGN b/DESIGN
index 33ea59251590030bb634021edb4cb0bcf0922955..247546dfebec94bb2c54581de8e2ece8689baae8 100644 (file)
--- a/DESIGN
+++ b/DESIGN
@@ -40,3 +40,17 @@ app needs to check for logout button submission
   delete this login
     which mostly does what check does and then also deletes the
     assoc and the cookie
   delete this login
     which mostly does what check does and then also deletes the
     assoc and the cookie
+
+
+
+----------------------------------------
+
+DECISONS
+clearing cookies does log out?
+no persistent cookie?
+allow read-only post/get distinction?
+
+does not support persistent cookie, as that needs two db entries etc.
+ two cookies complicated api
+
+clearing cookies always logs out
diff --git a/cgi-auth-hybrid.pm b/cgi-auth-hybrid.pm
index f7b48aa1ef4ccbd96ff156a66036202196349221..77454c229b56b52399c630392e31453dc94c7a13 100644 (file)
--- a/cgi-auth-hybrid.pm
+++ b/cgi-auth-hybrid.pm
@@ -191,12 +191,17 @@ sub _check_core ($) {
     #  y   n   GET    r       intra-site data request from stale session
     #                           fail
     #
     #  y   n   GET    r       intra-site data request from stale session
     #                           fail
     #
-    #  -   y   GET   n           CLEAR COOKIES TO LOGOUT OPTION
+    #  -/n y2  GET   n        cross-site link
+    #                         but user has cleared cookies, revoke session
+    #                           show login form
+    #
+    #  -/n y2  GET    rmuio   user has cleared cookies, revoke session
+    #                           then as for   - - GET
     #
     #
-    #  -/n any GET   n        cross-site link but user not logged in
+    #  n   any GET   n        cross-site link but user not logged in
     #                           show login form
     #
     #                           show login form
     #
-    #  -/n any GET    r       data request from stale session
+    #  n   any GET    r       data request from stale session
     #                           fail
     #
     #  any any GET     muoi   bug or attack, fail
     #                           fail
     #
     #  any any GET     muoi   bug or attack, fail
@@ -207,10 +212,10 @@ sub _check_core ($) {
     #
     #  any -   POST           bug or xsrf attack, fail
     #
     #
     #  any -   POST           bug or xsrf attack, fail
     #
-    #  n/y1 y2 POST         intra-site form submission
+    #  n/y1 y2 POST   r       intra-site form submission
     #                           from session no longer known to browser
     #                           revoke y2
     #                           from session no longer known to browser
     #                           revoke y2
-    #                           show "session interrupted"
+    #                           show "session interrupted" login form
     #  n/y1 y2 POST    m      intra-site js operation
     #                           from session no longer known to browser
     #                           revoke y2
     #  n/y1 y2 POST    m      intra-site js operation
     #                           from session no longer known to browser
     #                           revoke y2
Unnamed repository; edit this file 'description' to name the repository.