in reply to Secure Session Management

If you can use mod_perl, then try with Apache::AuthCookie; module's documentation is very clear about its benefits, it says:

  1. The client doesn't *have* to pass the user credentials on every subsequent access. If you're using passwords, this means that the password can be sent on the first request only, and subsequent requests don't need to send this (potentially sensitive) information. This is known as "ticket-based" authentication.
  2. When you determine that the client should stop using the credentials/session key, the server can tell the client to delete the cookie. Letting users "log out" is a notoriously impossible-to-solve problem of AuthBasic.
  3. AuthBasic dialog boxes are ugly. You can design your own HTML login forms when you use AuthCookie.

I found it quite interesting :) But this solves only half of your problem: you need also session management, right? Apache::Session could be an answer, but you may need to put some glue between these two modules.

Ciao, Valerio