sylph001,
I have no idea what the original author intended by in and out of band but here are some interesting things I have ran into while doing website automation:

• Cookies being set with Javascript
• Authentication using an Ajax JSON post not associated with the "login" button
• Redirecting to a 1 use URL which authenticated and then redirected to normal page

I am sure there are others but the point was that not all authentication methods are straight forward.