Shared Convention

These rules apply to all frameworks below unless explicitly called out as a minimal deviation.

Endpoints

• GET /login — render login page (server-side template + layout)
• POST /login — validate credentials, start server-side session
• GET /app — protected page (requires session)
• POST /logout — destroy session

Request format

• POST /login uses application/x-www-form-urlencoded
  • Fields: username, password
• POST /logout uses application/x-www-form-urlencoded (can be empty)

Responses + status codes

• GET /login
  • 200 OK HTML
• POST /login
  • Success: 303 See Other → Location: /app (sets session cookie)
  • Failure:
    • 401 Unauthorized HTML (re-render login with error)
    • 400 Bad Request HTML if missing/invalid fields
• GET /app
  • If authenticated: 200 OK HTML
  • If not: 303 See Other → /login
• POST /logout
  • Always: 303 See Other → /login (clears session)

Security rules

• Session cookie should be HttpOnly, and Secure in production.