Right now it is not possible to distinguish a logged in user from a guest by just looking at the
Being able to distinguish a guest from a logged in user on the webserver level (or a reverse proxy in front of that) could be quite useful for applying different rules (like rate limits, challenges, etc.) partly based on the login status.
I therefore suggest to add a flag to the
session cookie - if both cases it's just a random string.Being able to distinguish a guest from a logged in user on the webserver level (or a reverse proxy in front of that) could be quite useful for applying different rules (like rate limits, challenges, etc.) partly based on the login status.
I therefore suggest to add a flag to the
session cookie value (for example a prefix u: for logged in users) so it becomes easy to classify clients.
Last edited:
Upvote
4
