User-based access control
verify userid/password against almost any source
- file, unix, ldap, athens, etc.
browser->server is effectively cleartext
- unless using SSL
- beware of reducing privacy of passwords
password transmitted for each request
- many opportunities for theft