On CGI authentication:

What you call CGI authentication, isn't. It is Query String or Post Data (usually with a Cookie for authentication of later requests) based. How the server deals with that data is up to the programmer, CGI is only one option. (Others include mod_perl).

On putting authentication outside the application logic:

While Basic/Digest authentication is typically handled outside the application, and Post/Get authentication is typically handled by the application, this isn't a hard and fast rule. Mod_perl, for instance, allows you to specify a Perl module to handle authentication, this is outside the application logic and handled on a seperate layer by the server.

On the ability to log out:

Post/Get based authentication doesn't provide the user with a way to log out. It provides the programmer with a way to log the user out. Basic/Digest authentication requires the browser programmer to provide a logout feature (and most don't, although I hear Opera does).