> It's pretty hard to truly separate these things. Nobody wants to use > basic auth, which means there is a need for forms and handlers.
How do you mean, 'nobody'? Users certainly don't mind! > Then you have to keep that information in either cookies or URLs, and > there is usually a need to talk to an external data database with a > site-specific schema. I admit that it's hard to get away without cookies and URI encoding schemes, but not impossible. There's a lot of tricks that you can do with path_info... For example, http://www.example.com/some/address/hello.txt,do_something This URL is easy to protect / authorize using LocationMatch directives. Basically I think you can use these simple schemes in complex applications if you're careful about your URIs. But it's true that it can be a real mindf*ck :) Basically each state of your application needs a different URI... However I find it well worth it, the promess of a truly modular, standard, pluggable authorization system is seducing, and also very 'marketable' I think. Cheers, -- Building a better web - http://www.mkdoc.com/ --------------------------------------------- Jean-Michel Hiver [EMAIL PROTECTED] - +44 (0)114 255 8097 Homepage: http://www.webmatrix.net/