> Since the authentication happens on every trip into the server, and I > don't want to run my code (to set up an Apache::Session for the user's > session data) until I'm sure I have a valid user on my hands, I can't > see a way to do the session setup only the first time after a sucessful > login.
can't you do this in authen_cred()? IIRC authen_cred is only called when no cookie is found, which means you have a first time visit (or an unsuccessful attempt). you have control here to execute code only when a valid user is found, since it's up to you to determine if the user is valid. authen_ses_key() then checks whether the cookie itself (containing the session key) is valid. at least this is how I remember it working - it's been a while since I've worked with AuthCookie. --Geoff