CGI question: safe passwords possible?

[Paul Rubin]

Ian Bicking <ianb at colorstudy.com> writes:
> FWIW, getting access to the authentication headers yourself can be quite
> difficult.  Apache does not freely pass authentication information on to
> CGI scripts, for security reasons (particular with people who don't
> trust each other on the same domain).  If you don't have complete
> control of Apache, don't even bother trying.

Generally speaking, using HTTP auth is a pretty crude way to do
authentication.  It's simple, but has an annoying UI.  Once a person
logs in with it, they can't log out without closing their browser.  It
throws a username/password dialog box on the screen which can feel
kind of harsh for the user.  Basically it's something you do if you
want to put quick and dirty access control on some file or resource.
If you're trying to make a nice site, implement your own
authentication in your CGI and maintain session with a cookie.