--- a/pvl/login/server.py	Mon Jan 13 21:14:30 2014 +0200
+++ b/pvl/login/server.py	Mon Jan 13 21:14:52 2014 +0200
@@ -302,6 +302,9 @@
 }
 
     """
+    
+    login_failure = None
+
     def process (self) :
         self.process_cookie()
         
@@ -335,12 +338,17 @@
                 except pvl.login.auth.AuthError as ex :
                     self.alert('danger', "Internal authentication error, try again later?")
 
-                if not set_pubtkt :
-                    self.alert('danger', "Invalid authentication credentials, try again.")
+                else :
+                    if not set_pubtkt :
+                        self.alert('danger', "Invalid authentication credentials, try again.")
             
             elif self.pubtkt and self.pubtkt.valid() :
                 # renew manually if valid
                 set_pubtkt = self.app.renew(self.pubtkt)
+            
+            # a POST request that does not modify state is a failure
+            if not set_pubtkt :
+                self.login_failure = True
 
         elif 'renew' in self.request.args :
             # renew automatically if in grace period
@@ -365,6 +373,11 @@
 
             return response
 
+    def status (self) :
+        if self.login_failure :
+            return 400
+        else :
+            return 200
 
     def render (self) :
         domain = self.app.login_domain
@@ -512,9 +525,14 @@
         if not auth :
             return None
 
+        tokens = list(self._auth.access(auth))
+        udata = self._auth.userdata(auth)
+
         return pubtkt.PubTkt.new(username,
                 valid   = self.login_valid,
                 grace   = self.login_grace,
+                tokens  = tokens,
+                udata   = udata,
         )
 
     def sign (self, pubtkt) :