I've just about got most of the kinks out of the new authentication system. Should be able to plug it in next week (I'm going away for a couple of days).

What I'm trying to do is something I haven't seen in all my web travels (though it probably exists in a corner of another galaxy in the web universe). A multi-user authenticated website without cookies and without sessions, and which also allows non-authenticated access. You'd think it was rocket science, but it turns out to be relatively easy. And no, I'm not using chained HTTP POST requests or encoded URL's to pass info through the site. I call that a session. And it works on all browsers! (This site is optimized for Firefox on Linux - if it doesn't display correctly in your browser, tough titties). So far I can't see any fundamental logic flaw, which makes me wonder why 99.999999999999999% of the other websites feel they need cookies and/or sessions. It seems to be a case of everybody else does it this way, so that's the way it has to be done...

[Update 27-FEB-2006]

I found the logic flaw... It isn't insurmountable, but the logic is ugly. Basically, it was a fresh new face on HTTP auth. By re-arranging the logic, it's possible to have a page authenticate only when desired, and not 100% of the time. That was my novel concept. The flaw is the same old flaw in HTTP auth - you can't easily logout. I've found several workarounds that can be made to provide this functionality, but are basically crude hacks from a technical standpoint. I really don't like crude hacks.  Looks like I'll be going back to cookies/sessions - or perhaps decide that logging out isn't important for what I'm trying to accomplish. I'm no longer trying to write a diary software package  to give/sell/distribute to others, for instance.  That decision frees me from a lot of installation and support issues; and allows me to write for a modern environment (for once) instead of dumbing everything down so it will work with Apache1/MySQL3/PHP3 on Win95.