In Put name and password in URLs I discuss how Hotmail solves this exact problem. Note that in the last few weeks the RSA patent expired. You can now aquire, for free and legally in the US, both Apache and mod_ssl to implement the https server required in the authentication.

As for your solution, it is pretty good but I would have a number of concerns. For instance what happens if someone sends you a request that matches a file you care about? Can someone who is sniffing the network spoof the connection? Was the password sent in the clear?

None of this probably matters for a chat server. (Heck how many of us are willing to let cookies go around with plaintext passwords?) But I wouldn't want to trust that with important data.