On 21 April 2016 at 19:20, arjan tijms <arjan.tijms_at_gmail.com> wrote:
> But now suppose the user abandons the flow (by navigating away from the
> login form), and somewhat later explicitly attempts to login.
>
> How does the mechanism now know a new login is requested and all previous
> kept state (i.e. the saved destination) should be erased?
Arjan,
I think you answered your own question by saying:
> Consider a slightly modified version of the FORM authentication mechanism that
> instead of posting to j_security_check, allows the application to put the
> {username, password} credentials in request scope and then somehow invoke the
> authentication mechanism.
So the credentials have been put into request scope, so that if the
user navigates away then they have either aborted the flow, or the
authentication proceeded far enough that they are indeed
authenticated.
I can't see the case where they resume an attempt to login and that
discovers any kept state, as it was put into request scope.
Even if it is put into session scope, then it is likely to be
overwritten with new values (Eg destination) when the authentication
is resumed.
regards
--
Greg Wilkins <gregw@webtide.com> CTO http://webtide.com