Tres Seaver wrote at 2004-9-3 08:56 -0400:
... I am worried that there may be third-party application code which relies on 'validate' to raise an exception. Returning the login form directly is not really a big win over a redirect; among other things, it messes up cacheability, because the URL no longer corresponds to the "real" content.
This can easily be controlled with cache control headers. Not making a redirect would give the login form more control on what to do after the login. Currently, I would allow to work around a bug in CookieCrumber (it does not include "QUERY_STRING" in its "came_from"). Including additional request information may be also interesting for some "POST" requests (that do not have a meaningfull "QUERY_STRING"). -- Dieter