It's pretty hard to truly separate these things. Nobody wants to use basic auth, which means there is a need for forms and handlers.
How do you mean, 'nobody'? Users certainly don't mind!
Sure they do. They want a nice HTML login screen, and features like "remember this login on this computer" (using cookies) which is standard on most major sites now.
I admit that it's hard to get away without cookies and URI encoding schemes, but not impossible. There's a lot of tricks that you can do with path_info...
But path_info is URI encoding. Also, most of the auth/access modules, including ones that stick to the auth and access phases, use cookies or URIs. There really is no other option except basic auth.
If you build a generalized auth system, there may well be other people interested in it. However, it would have to be very easy to change the mechanisms for maintaining state (cookies, URIs, basic auth) and checking credentials (any kind of database with any kind of schema). The latter probably means some custom development on every installation.
- Perrin
