I just committed the shell of the Apache2 module to interact with the perl.org ducttape authentication system. Ask and I have been talking about replacing the system forever, but since it does the job, and we're already operating on negative tuits, there's no good reason.
In this process, I've determined that http authentication sucks, no matter which way you slice it. There is no complete in-band answer. We've got to support standard http requests, funky automated things for the RT CLI, DAV and SVN requests for subversion.
Basic auth. gets the job done, but there's no way to log-out, the prompts are very vague, and it's plaintext without SSL.
ducttape is a cookie based system (not for protecting nuclear reactors), and if the authorization fails, you get redirected elsewhere to login and redirected back. automated clients like SVN and rt-cli will totally barf on a pretty login screen, which means they can't use this, and will have to fall back to a different system. (Which means i need to support two systems.. one for "people", and one for "machines".)
Why can't we all just use gopher?