Quote Originally Posted by kyberfabrikken View Post
What about you just show the form as usual. When the user submits it; if the session has expired you redisplay the form with the user + pass fields added to it (And the rest of the fields filled in from post data). That way, the normal flow would work unchanged, and you only do something different if the users session has expired. Basically, you treat the expired session as a validation error on the form, which is actually quite intuitive (IMHO).
I'd like to try my hand at implementing this. I do have a question though.

If I'm securing a page using a user id stored in the session, I check for that user id fairly early in the whole process-- usually in the front controller before a specific page controller has been loaded. However, in order to to what you describe above, either each page controller would be responsible for securing itself (which would be a pain) or page controllers need a way to override the default action that occurs when a user isn't logged in (displaying a login screen.)

So I guess my question is, how can the system you describe above be implemented without losing the ability to secure a whole section of the site at once?