$ses->expire("+1y");  # most of the session lasts forever

my $dood = $ses->param("dood");
my $user = $ses->param("user");

if( not $user and (my $bcd = $ses->param("bc_data")) ) {
    $user = $bc->verify( $bcd );  # we only verify the bc_data every hour or so
}

if( not $user and (my $f = $cgi->param("bc_fields")) and ($user = $bc->verify($cgi)) ) {
    # This line is stolen from Authen::Bitcard directly (minus a few bytes)...
    # Why don't they export this?
    my %data = map { $_ => $cgi->param($_) } split(/,/, $f), 'bc_sig';

    $ses->param( bc_data => \%data ); # so we can verify above

    $dood = $user->{username} || $user->{name} || $user->{email}
         || "Incognito #" . $user->{id};

    $ses->param( dood => $dood );
    $ses->flush;

    print $cgi->redirect($cgi->url);
    exit 0;
}

if( $cgi->param("lo") or ($user and not $dood) ) {
    $ses->clear([qw(user bc_data)]);

    print $cgi->redirect($cgi->url);
    exit 0;
}

if( $user and not $ses->param("user") ) {
    $ses->param( user => $user );
    $ses->expire( user => "+1h" ); # this means every hour we'll verify(bc_data)
}