> > No, that doesn't satisfy the following: > > > If someone authenticates on https://www.example.com/webapp, the url is > available for everyone.
> Could the complicating allow directive sequence be placed in an if/else type of scope that uses some elements of the deciding session?
