From: Ian Jackson Date: Sat, 10 Nov 2012 12:57:19 +0000 (+0000) Subject: wip some decisions X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=cgi-auth-flexible.git;a=commitdiff_plain;h=e802c503b5877277b1138f212bd8a49871d6b9cb wip some decisions --- diff --git a/DESIGN b/DESIGN index 33ea592..247546d 100644 --- a/DESIGN +++ b/DESIGN @@ -40,3 +40,17 @@ app needs to check for logout button submission delete this login which mostly does what check does and then also deletes the assoc and the cookie + + + +---------------------------------------- + +DECISONS +clearing cookies does log out? +no persistent cookie? +allow read-only post/get distinction? + +does not support persistent cookie, as that needs two db entries etc. + two cookies complicated api + +clearing cookies always logs out diff --git a/cgi-auth-hybrid.pm b/cgi-auth-hybrid.pm index f7b48aa..77454c2 100644 --- a/cgi-auth-hybrid.pm +++ b/cgi-auth-hybrid.pm @@ -191,12 +191,17 @@ sub _check_core ($) { # y n GET r intra-site data request from stale session # fail # - # - y GET n CLEAR COOKIES TO LOGOUT OPTION + # -/n y2 GET n cross-site link + # but user has cleared cookies, revoke session + # show login form + # + # -/n y2 GET rmuio user has cleared cookies, revoke session + # then as for - - GET # - # -/n any GET n cross-site link but user not logged in + # n any GET n cross-site link but user not logged in # show login form # - # -/n any GET r data request from stale session + # n any GET r data request from stale session # fail # # any any GET muoi bug or attack, fail @@ -207,10 +212,10 @@ sub _check_core ($) { # # any - POST bug or xsrf attack, fail # - # n/y1 y2 POST r intra-site form submission + # n/y1 y2 POST r intra-site form submission # from session no longer known to browser # revoke y2 - # show "session interrupted" + # show "session interrupted" login form # n/y1 y2 POST m intra-site js operation # from session no longer known to browser # revoke y2