It is the same problem, because the problem as stated didn't ask for which keystrokes to type but asked about the algorithm. The algorithm (as opposed to the implementation, of which 0% appeared in your question) remains the same, regardless of the language used to generate the HTML.

You are right that HTTP authentication doesn't expand to session data management. Nor does it make coffee. However, your stated problem was "how to keep curious employees from entering data". And while creating sessions is one way of solving it, it doesn't mean you need sessions at all to solve your problem. If, beside keeping curious employees from entering data, you do need sessions, you should have asked about how to make sessions - and not mention the curious employees at all. After all, after solving the session problem, the curious employees have been taken care off.

Not using any expiration time would allow the possibility - admittedly remote - of reuse (by regeneration) of the session key.

But that's why you use HTTP level authentication....

Of course, if someone goes into the trouble of trying to regenerate a session key, would you still classify them as "curious employees stumbling upon the site entering data by accident"? *I* would classify them as "malicious hackers" (or "crackers" for slashdot types).

-- Abigail