OK, so I've dusted off my 'Writing Apache Modules' book and set out to set up my first user login and resource authorization code (Linux 2.4.10, Apache 1.3.20). I'd like to avoid using cookies. I'd prefer to use basic auth so the browsers can hand the username and password stuff automatically, and all the authentication and authorization can be managed with Apache modules at the apropriate request phases.
The best I've come up with using persistant session tracking without cookies will refuse auth after timeout, requiring the user to log in again. Where it fails is that if a user has closed the browser and returns to the site, they have to log in (basic auth), but then a timed out session is found for that user, and they would be asked to log in a second time.
Pointers to docs/how-to's etc gladly accepted, and