"BasicAuth" access protection is really simple, and in its simplicity, it fails for serious apps because:
- There's no clean way to "log out", as you noticed.
- The passwords are transmitted in the clear
on each hit.
- There's no "timeout": if you forget to log out when
you walk away, the next user can use your credentials.
One better solution is to use a cookie (or some other session tracking solution, like hidden fields, mangled URLs, or mangled hostnames), with a server-side database to handle the login authentication and timeout. I have an example of this
in
one of my columns. It's really only a few dozen lines of code. I think someone even wrapped it into a module, if I recall.
-- Randal L. Schwartz, Perl hacker