I like what CGI::Application::Plugin::Authentication is trying to do, but I am puzzled by one aspect of how it is implemented. In my utter ignorance I even have a vague fear it may not be RESTful.

To me it seems natural that many websites will be separated into static pages which have no need for session ids or cookies etc, and those which require authentication and all that stuff. Now I know that with CGI::Application::Dispatcher I could separate these into two different application modules but that does not suit me, because it makes it harder to maintain consistency across a website.

Moreever CGI::Application::Plugin::Session promises Lazy loading. However CGI::Application::Plugin::Authentication (by the same author) seems to undermine this. You have to declare the protected run modes before you actually run any run modes, so you have something like:

sub setup {
    my $self = shift; # some sort of CGI::Application
    $self->run_modes(
           'mode1' => 'some_sub_by_name', 
           'mode2' => \&some_other_sub_by_ref
    );
    $self->authen->protected_runmodes('mode1');
}
[download]

Then behind the scenes the module installs a prerun callback. This prerun callback calls the CGI::Application::Plugin::Authentication::initialize function. I am the process of debugging this function, and it sets the session/cookie stuff before it has decided whether the run mode is protected or not. Now this seems wrong to me. By the time I have finished debugging this function it will probably all be clear to me. But at present it is not.

Edit: I've made some progress. If I change line 1211 of Authentication.pm to

if ($config->{LOGIN_SESSION_TIMEOUT} && !$self->{is_new_login} && $sel
+f->username) {
[download]

then all the module tests still run and my problem goes away. The issue is that in that line only the username method accesses the Session data and so calling it should be deferred until absolutely necessary.