I now actually handle the /login URL and check whether the email and
password are valid, creating the session cookie if correct, but doing
nothing else with that cookie, for now.
The validation is done by hand for now, because i do not yet how i will
actually do it without so much duplication.