Hello,

in the form-based login scheme, as in  the demo below, there seems to
be a conceptual problem -- and that is that for this scheme to work, a
session must already exist. I.e., if, as your first access to the site,
you try to access a protected page, a session is not created! Also, the
finish_*_request() methods are never called...

This also implies that you can not protect all pages in the site with
such a scheme...

Any ideas of how I can get around this?

mario