Module doesn't recognize external username change

Problem

Currently, webserver authentication only checks if a user is logged in, but not which user is logged in. Since externally authenticated user can change without Drupal's involvement, the authenticated user should be validated against the current session on each page load. As this check is performed for current sessions, care should be taken so that the module's default behavior allows users to remain logged in when the module is first enabled.

Solution

Since the external username may differ from the Drupal username (linked via authmap), a session variable caching the externally authenticated user should be used to validate that the current session and the external user match. If they don't match, the current session should be ended, and a new login attempted. If the new login fails (or the authname is empty), the session should be anonymous.

To make this user validation work, a new configuration option to match external usernames against existing Drupal usernames (and create authmap entries, enabled by default) would ensure that the user who enables the module isn't immediately logged out and unable to log back in. An admin can then disable the option if desired, and the newly created authmap entry would ensure they remain logged in. The option should be clearly visible in the module configuration page -- however, since this module currently trumps all other authentication modules, it makes sense that existing users should be matched by default to ease migration to external authentication.