| Subject: | The module should not create a session unless absolutely necessary |
Apart from the overhead of creating a session, creating a session
interferes with caching.
Mostly it seems that the "username" method is responsible for this as
this checks if the username is stored.
In http://github.com/periapt/cgi-application-plugin-authentication/
commit/9bbb69e6f5802ed3553ac7d54b6c9c183475c377 I submitted to github a
one line change that defers to the end of an if statement, calling the
username function. This seems to be enough to mean that stateful pages
and stateless pages can coexist in a single application.
As far as I can see the functions: config, protected_runmodes,
is_protected_runmode, setup_runmodes never make a stateless page
stateful. Similarly one can set the future session name, without
actually making the page stateful by doing:
CGI::Session->name('my session name');
Ideally functions like username, last_login, last_access,
is_login_timeout, is_authenticated, login_attempts, is_new_login etc.
should not add statefulness unless required. AS far as I can see when
they do add statefulness unnecessarily it is all through the username
function. Possibly this could be fixed if the username function first
checked whether there was a store and if not returned an empty string.
This might however have unexpected side effects it may be asking too
much. However I think it is at least reasonable that it should be
documented which functions can be relied on to not add statefulness and
which cannot.