Is your "no .htaccess" restriction against the use of an .htaccess file itself, or against HTTP authentication? If it's the former, I'd still highly recommend HTTP authentication to do this job, as it's the best solution. Anything else is going to either be insecure, or going to require a lot of work coding. Give us more information.

U: In case you are unaware of the distinction, a .htaccess file is just a way of specifying HTTP server configuration in a localized place. In almost all cases it is FAR better to specify these things in the main httpd.conf, as multiple levels of .htaccess files mean a lot of additional work for the server for every request. So if you are just anti-.htaccess but not necessarily anti-httpd.conf, I still highly recommend using HTTP authentication.