Comment 2 for bug 1385564

The way Secret URL currently works, is that when you access the page by its Secret URL (i.e. /view/view.php?t=<secret token here>), we store that secret token in a "viewaccess" cookie in the browser. This cookie has a browser session lifetime.

Then, in can_view_view(), we check for that viewaccess cookie in addition to other checks. This means that, once you view a page by its secret URL, you can continue to view the page by its normal URL, until you close your browser window.

A similar system is in place for pages viewed by mnet, except that the URL has "mt=", the cookie is "mviewaccess", and can_view_view() makes sure you're logged in as an MNet user.

There's also a "caccess" cookie, which is set instead of viewaccess or mviewaccess if the page is in a collection. (Secret URLs for a page give access to the whole collection.) This is actually a mild bug -- it should be a separate "mcaccess" cookie for a collection page viewed via MNet.