[lsc]

I use http auth

apache has modules to hook it up to just about any backend; it's supported by all browsers, and it's easy to automate against.

I would be interested in knowing why more people don't use it.

[tptacek]

Because, at least with mainstream browsers, users can't log out.

You can fail certain formal security audits for using HTTP authentication.

[lsc]

Speaking of the audit problem, do you have a link? is this just for http basic? or is this the case for http digest as well? what about negotiateAuth with mod_auth_kerberos or the like? is this only because of the logout problem? or because of the problems with basic auth?

hm. I know you can logout by going to https://username:boguspassword@thesiteyouarelogingoutfrom.co... but that will ask you to re-input your password, usually, making it unsuitable for a 'logout' button usually, I think. I wonder if there is a js workaround for that.