I'm curious about your description of the login app. If all it does is set a cookie, doesn't that mean that your users could simply go to the final destination, skipping the login? If the final destination (and all further pages) needs to retrieve and process the cookie, isn't this the beginning of a framework, since each app-behind-the-login needs to know how the login was done and how to verify it?
Maybe I missed your point and the only goal is to maximize decoupling of implementation details?
The cookie would be signed and checked for with WSGI middleware or some other intermediary (like mod_auth_tkt). How you get the cookie is not embedded into the application, and there is a CGI convention for where the unpacked cookie goes (REMOTE_USER); or it could be HTTP auth or whatever. All your app needs to know is to trust REMOTE_USER.# Ian Bicking