aaargh, commit flood. I shouldn't leave debugging statements in when committing, I shouldn't leave debugging statements in when commiting, I shouldn't leave ...

timeout anonymous sessions earlier, to stop the session table getting massive. And fix the inevitable stupid bug which crept in

here be a dir to store sql files with database changes which need to be applied to the live site, and the changes required for version 0.3

stop using temporary cookies for logged in users and set a timeout instead. Sessions should now timeout after 48 hours of inactivity, or 8 days since authenticating, whichever comes first. Also fix a bug where we tried to delete users sessions before actually figuring out who they were which stopped logout functioning correctly

from the better-late-than-never department, here's a stupidly overcomplex yet incomplete way of adding new books. Doesn't deal with tagging yet, but better than nothing, don't you think? Maybe someone else should rewrite the whole library component in an afternoon following KISS principles soon ;-)

- Begin to stop it being so logout happy for ordinary users who aren't doing anything particularly sensitive on the site by keeping track of when a user was last asked for credentials
- Don't continue to use the same session identifier once a user is logged in; it's likely been sent insecurely
- Mark session cookies as "SSL only" once logged in
- Automatically bump users from HTTP to HTTPS for all requests whilst they're logged in