The HTTP protocol gives a standardised way to provide authentication. This is supported via two modes:
Basic – transmit the username and password in a reversable base-64 encode
Digest – transmits complex MD5 hash of the username, realm, password, a server generated nonce, request method and request uri
Basic HTTP authentication suffers from a very easy man-in-the-middle attack, where the attacker can simply reverse the base-64 encode to get the user’s password. This is preventable if switching to HTTPS, where a man-in-the-middle is not possible.
Digest HTTP authentication however uses a complex series of MD5 operations on data provided by the server and client variables. This, depending on the server implementation, can prevent the man-in-the-middle from decyphering the password, and prevent replay attacks.
Digest HTTP authentication is relatively new, but is supported fully in all the latest browsers. Internet Explorer 6 however does not support the standard correctly, but there is an Apache server workaround to allow it.
I have written a mod_perl module which will provide a database backend to this method, called Webtatic::AuthDBI. It is similar to that of mod_auth_mysql, which only supports Basic auth.
I have published a project page for this at /projects/webtaticauthdbi/. It is free to use, and uses the same licensing terms as Perl. Installation and use instructions are on that page.
In theory, digest authentication will be more secure than cookie sessions, as once the session id is captured by the attacker, the attacker could then use that session themselves. Digest authentication always sends a different authorization header every request, so if the server can prevent replay attacks, the attacker wouldn’t be able to use the header again.