From 12147303e7904ac442b816cd218981d3305c6165 Mon Sep 17 00:00:00 2001
From: Christoph Burschka
Date: Fri, 17 Jan 2014 07:06:57 +0100
Subject: Completed documentation

---
 plugins/session/README.md | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/plugins/session/README.md b/plugins/session/README.md
index 9c931cb..4cd4273 100644
--- a/plugins/session/README.md
+++ b/plugins/session/README.md
@@ -23,6 +23,38 @@ The control flow is like this:
   If it exists and hasn't expired yet, it confirms the authentication and the user
   is logged in without a password.
 
+Installation
+------------
+
+This plugin uses a database table, described in the packaged install.sql file.
+Install it with this command:
+
+    cat ./install.sql | replace '{TAB}' '<tablename>' | \
+    mysql -h <host> -D <db> -u <user> -p<password>
+
+Next, you need to configure the database connection both in the main configuration
+file and in the local `./config.php` of this plugin.
+
+Finally, link the `www/rpc.php` file inside your website root somewhere inside
+your forum's cookie domain and path (most forums set the path to `/`, so the
+domain should be sufficient).
+
+Usage
+-----
+
+Whenever you need to authenticate to ejabberd, make a POST request to the URL
+that points at `www/rpc.php` with `salt` set to a reasonably random 16 character
+value.
+
+If the client making the POST request has a valid session for the site you're
+authenticating with, then you will receive a JSON-encoded response as follows:
+
+    `{"user":"<user>","secret":"<secret>","time":"<time>"}
+
+From the point in `<time>` to however long you configured the timeout
+(60 seconds are recommended), `<secret>` will be accepted as a password
+by ejabberd for `<user>` on any domains you set up to use the session
+plugin.
 
 Security Considerations
 -----------------------
-- 
cgit v1.1