One thing that may or may not be a factor - multiple web servers. Once you make that architectural leap, apache-based models start failing you, as do a lot of session methods, and you're left with cookies (or a universally passed session ID param) on the user side, and database on the backend with info about sessions.
in reply to Authentication in web applications
Which isn't to say that there's not a better way, but this is a big factor to consider for any reasonably large web site. Which most sites aren't, so, there you go.