I thought people might be interested in an idea I had about HTTP BASIC_AUTH. The biggest problem with basic auth is that the user -cannot log out-. I've come up with a way to avoid this problem.

Let's assume that when the user visits your site, you're going to give him a cookie. The cookie has a session id. Generally with Basic Auth you have a Realm for where the user is getting access.

Instead of giving them an english realm like 'secure', give them the session id as the realm. When you do this, they respond their challenge based on the session id you've given them.

Now, when the user goes to log out - or closes their browser to invalidate their session cookie, you simply throw away their cookie and force them to get a new one. This means they get a new session id - which means the credentials for the basic auth are now wrong. This will cause them to be prompted to log back in again.

Vwalla, successful logout from HTTP's Basic Auth. Let me know if you use the idea.