What I've done in the past is to generate a fairly unique base64 string (20 digits or so) and send the user a cookie with that string when they first log in.

I figure the chance that another user guessing that is low and if they were snooping the line, well, they'd have the password anyway, so why bother with a more elaborate setup?

I then check the cookie every request and expire the cookie after a time-out of say 1/2hr or whatever (usually user alterable).

I do this over the built-in password checking because, well, I wanted to figure out how and prefer the little login boxes over the pop-up style =)

Of course, these were all in the name of seeing if I could do it, so I didn't consult the all-mightly CPAN before re-engineering the wheel.

-Ducky