Hello All,

There has been a lot of discussion in the past about how to do pure
HTTP authentication without cookies. I've seen one solution posted to
this list, by Jean-Michel Hiver, however it is outdated as his code
doesn't work with the latest Apache + mod_perl, and he doesn't
clearly indicate the limitations against all modern browsers. And I
prefer to use Digest authentication instead of Basic.

As I had a need for this myself, I've taken the plunge and done a
really exhaustive examination of doing authentication without
cookies. Including being able to do the following:

1. Optional authentication or personalisation: provide extra
features for authentication users, but also show the url to
non-authenticated users.

2. Users can log off (that's the hard bit).

3. Customizable login screens.

4. Discussion of a possible implementation of being logged out after
a certain period.


The long discussion starts here:

http://www.pobox.com/~berend/rest/authentication.html


Sample website is here:

http://www.pobox.com/~berend/rest/site/


I really appreciate any comments. It is extra-ordinary easy to make a
mistake here and think something works where it actually doesn't. I
tried to be very lucid and give samples that don't require any perl or
mod_perl skills, so hopefully they are portable to other web servers
than Apache as well.