diff --git a/apiV1login.go b/apiV1login.go
index 4795a88..c83beb6 100644
--- a/apiV1login.go
+++ b/apiV1login.go
@@ -1,27 +1,24 @@
 package main
 
 import (
-	"biukop/sfm/loan"
+	"biukop.com/sfm/loan"
 	"database/sql"
+	"encoding/json"
 	log "github.com/sirupsen/logrus"
 	"net/http"
 	"time"
 )
 
-type login struct {
-	user  string
-	pass  string
-	buser string //admin
-	bpass string //always_correct_md5   => YWRtaW46YWx3YXlzX2NvcnJlY3RfbWQ1
-	token string
-	ts    time.Time
+type loginForm struct {
+	Login string `json:"u"`
+	Pass  string `json:"p"`
 }
 
 func apiV1Login(w http.ResponseWriter, r *http.Request, ss *loan.Session) {
 	res := apiV1ResponseBlank()
 
-	l := login{}
-	e := l.initRequest(r)
+	l := loginForm{}
+	e := l.getFromClient(r)
 	if e != nil {
 		log.Warn("Failed login - cannot analyze request " + e.Error())
 		res.add("login", false)
@@ -30,8 +27,8 @@ func apiV1Login(w http.ResponseWriter, r *http.Request, ss *loan.Session) {
 		return
 	}
 
-	trial := loan.Session{}
-	u, e := trial.Login(l.user, l.pass)
+	//try login
+	_, e = ss.Login(l.Login, l.Pass)
 	if e == sql.ErrNoRows { //not found
 		log.Warnf("Failed login - user not found %+v, error=%s", l, e.Error())
 		res.add("login", false)
@@ -44,46 +41,45 @@ func apiV1Login(w http.ResponseWriter, r *http.Request, ss *loan.Session) {
 		res.add("reason", "either user name or password is not right")
 		res.sendJson(w)
 		return
-	}
-	//log in user
-	if u.Id == ss.User {
-		e = ss.LogInUser(u.Id)
-		if e != nil {
-			log.Error("Cannot Load authenticated user:", u.Id)
-			apiV1Server500Error(w, r)
-			return
-		}
-	} else if !ss.IsEmpty() {
-		ss.InitForUser(u.Id, time.Now().Add(loan.DefaultSessionDuration))
 	} else {
-		ss.InitForUser(u.Id, time.Now().Add(loan.DefaultSessionDuration))
+		//Audit user login, in db
+		log.Info("successful login ", l.Login)
 	}
-	//enforce machine id
-	ss.Add("mid", apiV1GetMachineId(r))
 
-	res.add("auth", ss.Token)
-	res.add("session_id", ss.Id)
-	res.add("session_expire", ss.ExpireStr())
-	res.add("session_expire_human", ss.Expire.Format(time.RFC1123Z))
-	res.add("session_user", ss.User)
-	res.add("buser", ss.User)
-	res.add("bpass", ss.CheckSum())
-	res.add("mid", ss.Get("mid"))
+	//format response
+	res.add("login", true)
+	res.add("Biukop-Session", ss.Id)
+	res.add("Biukop-Mid", ss.Get("Biukop-Mid"))
+	res.add("sessionExpire", ss.ExpireStr())
+	res.add("sessionExpireHuman", ss.Expire.Format(time.RFC1123Z))
+	if config.Debug {
+		u, e := ss.GetUser()
+		if e == nil {
+			res.Env.Body["debug_session_user"] = u
+		} else {
+			log.Warn("cannot read user for session ", ss)
+			res.Env.Body["debug_session_user_error"] = e.Error()
+		}
+	}
 
 	//send out
-	apiV1AddTrackingCookie(w, r, ss)
+	apiV1AddTrackingCookie(w, r, ss) //always the last one to set cookies
 	res.sendJson(w)
 }
 
-func (m *login) initRequest(r *http.Request) (e error) {
-	e = r.ParseForm()
+func (m *loginForm) getFromClient(r *http.Request) (e error) {
+
+	e = apiV1DecodeRequestBody(m, r)
 	if e != nil {
 		log.Error(e)
 		return
 	}
+	return
+}
 
-	m.user = r.PostForm.Get("u")
-	m.pass = r.PostForm.Get("p")
-	m.buser, m.bpass, _ = r.BasicAuth()
+func apiV1DecodeRequestBody(bb interface{}, r *http.Request) (e error) {
+	decoder := json.NewDecoder(r.Body)
+	decoder.DisallowUnknownFields()
+	e = decoder.Decode(bb)
 	return
 }