There is no consistent reliable way to ensure that a browser will stop sending BasicAuth once properly authenticated.

And since you ruled out cookies, that leaves you with managled URLs or hidden form elements as the only other ways of tracking session. Pick one, and use it. There's really no alternatives.

-- Randal L. Schwartz, Perl hacker
Be sure to read my standard disclaimer if this is a reply.