wip session auth

Femto.Docs/Design/Auth/RememberMe.md

@@ -0,0 +1,27 @@
+# Remember me
+
+We want to implement long lived sessions
+
+we will do this with a remember me cookie
+
+this should be implemented as so:
+
+
+logging or registering and including a "rememberMe" flag with the request will generate a new remember me token, which can be stored as a cookie .
+
+the remember me token should live until:
+* the user changes password anywhere
+* the user logs out on that device
+* the user logs in with an expired session, in which case the remember me token will be used to refresh the session, and then it will be swapped out for a new one
+
+that means we need to implement three spots: 
+- [ ] login
+- [ ] register
+- [ ] validate session
+
+we will implement it as described [here](https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence)
+
+we will only check the remember me token in "validate session".
+
+"refresh session" is only called with valid sessions so we do not need to check it here, as the session should already have been validated
+

Femto.Docs/Design/Auth/strong_vs_weak_session.md

@@ -0,0 +1,16 @@
+# Strong vs weak sessions
+
+a **strong** session is one that should have the power to do account level admin tasks like change password
+ 
+
+a **weak** session has strictly fewer privileges than a strong session
+
+## where to get a strong session
+
+a strong session is created when a user provides a username and a password. a session remains strong until it is refreshed, at which point it becomes weak.
+
+## where to get a weak session
+
+A weak session is any session that has not been directly created by user credentials, i.e.:
+* short-term session refresh
+* long-term session refresh