"Secure" is a relative term. No web-based system is as secure as a firewall, and nothing in this document should be applied to data that must be kept confidential from a determined cracker. On the other hand, web login can be as secure as other username-password protocols like telnet or ftp, and more secure than some (like POP). HTTP Digest Authentication provides a more secure login, while SSL gives transaction-level security.
Other possible schemes are generally inferior, and many of those used by novice Web developers are downright broken.
Valid alternatives such as a telnet session, or an X or JAVA-based client/server system can be built onto but not into the Web, and are excluded from this discussion.
In my view, such concerns are mostly unfounded, and many are rooted in misinformation. But that's another article.
Although this is usual browser behaviour, it is not mandatory. A browser might choose to remember credentials between sessions, or to time out. This is in general no concern of the server.
That is in HTTP/1.0. HTTP/1.1 introduces new authentication headers to deal with the more-secure digest authentication, but CGI/1.1 does not actually define whether these should be made available or hidden.
Logout is impossible because there's no HTTP status code to clear a browser's credentials - it can only be made to overwrite them with new ones. Mixed access is feasible in HTTP by customising the Server, but cannot be done in CGI.
Clientside scripting may be an option for some browsers, and an alternative workaround hack is to set a cookie saying "login invalidated".
.htaccess is Apache's user- and directory-level configuration file. If you use a different server, implementation details will differ - read the manual.
For more on DBM authentication (including the "can't get it working" problem that affects many users, particularly on Linux), see my articles on the subject posted to comp.infosystems.www.servers.unix (these may eventually be consolidated under <URL:>). You may also be interested in the README.Apache-Auth file included with RDBM, at <URL:>.
The Calendar of the WebÞing Virtual Desktop is one such application.

Contacting the Author

  • Comments, criticisms and corrections are of course welcome.
  • Private requests for help and programming support are accepted under normal commercial terms.
  • Requests for free support may be directed to the appropriate newsgroups, NOT to my mailbox.
  • I shall probably permanently killfile the next idiot who quotes this entire post in a two-line followup.
  • Every time I post an informational article (like this one) it brings me lots of email - too much to deal with on an individual basis. And that's excluding spam, which will usually only appear as an entry in my filter log. So if you mail me, you might get an answer, but then again you might not.