1. If user has a valid session and it is fresh, check against cookie:
- If NOT a match refuse
- If a match accept
2. If user has a valid session and it is stale (>10 minutes), check the
database records again:
- If disabled refuse
- If enabled
- If NOT a match refuse
- If a match accept
- Update session data
3. If user has no session check authtoken table entry (closed broswer):
- If passed validity date refuse
- If within validity date, hash username and IP against salt and
compare to database:
- If NOT a match refuse
- If a match accept