Auth may cause challenge-loop due to missing perms

[malthe]

If a user is challenged to authenticate via SPNEGO and this succeeds, i.e. we get a user id, then we may still end up with a situation where that user does not have permission to render the page, causing a new challenge.

I think it makes sense to set some sort of cookie (with a not-far-in-the-future expiration, perhaps configurable) to say that we've actually authenticated this user and challenging won't help getting the authorization.

Makes sense?