1. User accesses application's URL: http://app.example.com/hosts 2. Browser issues HTTP GET request to app.exmple.com for /hosts --- GET /hosts ---> 3. Apache runs or hands the request over to application 4. Application does not find valid session cookie 5. Application redirects the browser to logon page <--- 302 Location /login?back=/hosts --- 6. Browser accesses the logon page /login --- GET /login?back=/hosts ---> 7. Apache runs or hands the request over to application 8. Application does not see POST with login & password 9. Application returns logon form <--- 200 + page with logon form, action set back to /login --- 10. User fills in the login and password and hits "Log in" 11. Browser submits the form --- POST /login ---> 12.1. Module mod_intercept_form_submit gets invoked 12.2. Module parses the post data, finds the login & password 12.3. If login not in InterceptFormLoginSkip, runs pam_authenticate 12.4. If login in InterceptFormLoginSkip and InterceptFormClearRemoteUserForSkipped on, clears possible existing REMOTE_USER / r->user 12.5. If InterceptFormPasswordRedact on, replaces the password in the POST data with [REDACTED] 12.6. If pam_authenticate passes, module sets the REMOTE_USER environment variable and r->user 12.7. If pam_authenticate passes and mod_lookup_identity loaded, it gets called 12.8. (orig 12) Apache runs or hands the request over to application 13.1. Application gets run 13.2. When it sees REMOTE_USER, it trusts it 13.3. (orig 13) Otherwise it validates the login & password; if they are not valid, go to 9 with message "Bad login or password" 14. Application creates session, returns session cookies <--- 302 Location /hosts with Set-Cookie --- 15. Like 2, now with Cookie set --- GET /hosts ---> 16. Apache runs or hands the request over to application 17. Application sees valid session cookie, returns the page <--- 200 + the /hosts page that user wanted to see ---