One of my side projects is a small, subscription-based business built around a website. Obviously authentication and authorization are concerns. I've built the application using Plack, so I have middleware to separate the interesting concerns of authentication, authorization, and database selection from the mechanics of the application itself.
While thinking about authentication today, I decided that the login system could use a standard HTTP authentication mechanism where, instead of typing a username and password into a little form on a web page, the client should pop up some sort of authentication box as a prompt.
My business partner scowled and said "People find that scary."
The difference between returning the appropriate HTTP headers to prompt a client for authorization and returning an HTML page with a form to fill out is minimal on the development side. How about the user experience?
Is prompting for HTTP authorization less friendly? A login form—not a popup—exists in the context of a site. It can have links to register or to recover a forgotten password.
The cleanliness (the HTTPfulness!) of the authorization header still appeals to me, however, even as I recognize that it may put off a lot of people. Alternately, deep linking into the application could use authorization, while visiting the front page could use the login form...
... but perhaps this is a case where cleverness or theoretical purity is much less important than ease of use and clarity to customers.