On 03 Dec 2013, at 5:29 PM, Thomas Eckert <thomas.r.w.eck...@gmail.com> wrote:
> This whole process is important for supporting two factor authentication - in > my example with OTP - but I doubt this is the only use case. In general it's > a good idea to let the auth providers know where the user credentials came > from (eg. headers vs. body). I see a possible technical solution to something, but I don't yet understand the problem that technical solution is trying to solve. The end user has never logged in, so they get a form, they enter credentials, they are logged in. Time passes, a session of some kind expires (a session provided by mod_session, or an internal unrelated session?), and the user… has to log in again? I get the sense you're fighting against httpd's AAA modules instead of using them. Are you using mod_auth_socache to cache the credentials or something else? Are you using mod_session to implement your session or something else? Regards, Graham --