> 1. Can this be done (nicely) as a > authentication/authorization handlier?
Sure, or you could do it as part of another phase if it's easier for you. There are good exmples on CPAN or in the Eagle book. > 2. Do most hosting companies allow > authentication/authorization handlers? (Using HostRocket > at the moment). Most hosting companies don't allow mod_perl. > 3. What is the most appropriate session management system? > I'm thinking of using cookies (client side) to store a > session key, rather than resubmitting the password data. > The server side stores this session key in the database. That sounds fine. There are examples of this in the book too. Make sure your session keys can't be forged. > 4. How does the membership ID get passed to the next stage? It's typically stored in the session data. > 5. What is the time to do additional access checking (for > senior/admin users)? Impossible to answer. Totally depends on your setup. > 6. What is a realistic time to expect all this to happen > in? Also impossible to answer, since it depends on your developers and the full requirements. - Perrin
