All my apache cookie auth module does is collect the cookie if it exists, and
convert it into a Basic Authentication header.  Then you use the normal
User-ID/Password mechanisms to grant authorization to the directory/page you
are protecting.

So, the first step is to get password-based authentication & authorization
working.  Then add the cookies.

For example, using my mod_auth_msql module for authorization, I might have
this configuration:

--cut here--
AuthName GCRC (User ID is your email address)
AuthType Basic
AuthGroupFile /dev/null
AuthMSQLHost localhost
AuthMSQLDB govcon
AuthMSQLUserTable user_info

<Limit GET POST>
require valid-user
</Limit>
--cut here--

What this does is use Basic Authentication to prove who you are, then uses the
mSQL server on the localhost to find the user id and password.  If they match,
it allows access.

Now, to use my Cookie based module, I added the one directive AuthCookieName
to make the .htaccess file look like this:

--cut here--
AuthName GCRC (User ID is your email address)
AuthType Basic
AuthGroupFile /dev/null
AuthMSQLHost localhost
AuthMSQLDB govcon
AuthMSQLUserTable user_info

AuthCookieName GovConID

<Limit GET POST>
require valid-user
</Limit>
--cut here--

What this does is look for a cookie labeled "GovConID".  If it exists, the
module converts it into the Authentication header needed by the original
authorization module.  The rest works as before.  If the cookie doesn't exist,
then the server will send back a "authorization required" message to the web
browser which will then prompt for a user id an password, which will then be
used as normal.

For this to work, mod_auth_cookies must be listed at the end of the modules
list (after all other mod_auth_* modules you might want to use with it).  The
choice of authorization module is not important, you can use the standard
file-based authorization or DBM based authorization modules if you like.

Here's a program I use to set the cookie.  It is just an example.  I also set
the cookie automatically when someone registers to use my web site.  When
called initially, it just displays a form, when called again by itself, it
sets the cookie.  It will not run without modification for your environment --
it just shows how I do it in mine.

--cut here--
#!/usr/local/bin/perl
use strict;

# Program to generate the necessary cookie to let people access GovCon
# without having to enter User ID and password all the time.
#
# $Id: setcookie,v 1.1 1996/06/14 18:27:01 khera Exp $

### CONFIGURATION

my $cookietag = 'GovConID';	# the cookie name to set with ID/password
# set expire date for my 50th birthday!
my $expires = 'Fri, 02-Dec-16 02:42:42 GMT';

### END CONFIGURATION

use CGI::Base qw(:DEFAULT :HDR);
use CGI::Request;
require "./gclib.pl";

my $req = new CGI::Request;

my $selfURL = $req->cgi->var('SCRIPT_NAME');

if ($req->param('user') =~ m/^\s*$/ or $req->param('pass') =~ m/^\s*$/) {
  # output the form to create the cookie
  SendHeaders();
  &gc::header("Password &quot;Cookie&quot; Generator");
  print qq{<P>Please enter your GovCon<SMALL><SUP>TM</SUP></SMALL> User ID
and password below, then select the &quot;Generate Cookie&quot; button. This
will cause your browser to store your User ID and password so that you don't
need to type them in again when visiting GovCon.  <EM><B>This will only work
with browsers that support &quot;Cookies&quot;, such as Netscape Navigator.
</B></EM></P>
<FORM METHOD="POST" ACTION="$selfURL">
GovCon<SMALL><SUP>TM</SUP></SMALL> User ID:
<INPUT TYPE=text NAME=user SIZE=60><BR>
Password: <INPUT TYPE=password NAME=pass SIZE=20><BR>
<INPUT TYPE=SUBMIT VALUE=" Generate Cookie ">
</FORM>};
#'
} else {
  # generate the cookie!  we just hex-escape every character for the
  # old security through obscurity method...
  my $cookie;
  my $user = $req->param('user');
  my $pass = $req->param('pass');
  my ($db_user,$db_pass,@rest) = &gc::get_user_info_raw($user,undef);
  (SendHeaders() && &gc::warning(qq{Your User ID and password did not match
what is in our database.  Please go back and re-enter them the same way you
did when initially signing into GovCon}))
    unless ($user eq $db_user and crypt($pass, $db_pass) eq $db_pass);
  # now we know it is ok!
  ($cookie = "$user:$pass") =~ s/(.)/sprintf("%%%02x",ord($1))/gei;
  SendHeaders(ContentTypeHdr(),
	      "Set-Cookie: $cookietag=$cookie; path=/; expires=$expires;\r\n");
  &gc::header("Password &quot;Cookie&quot; Generated");
  print qq{<P>We have set your GovCon<SMALL><SUP>TM</SUP></SMALL> User ID
cookie.  <EM><B>Please remember
that this will only work with browsers that support &quot;Cookies&quot;,
such as Netscape Navigator.</B></EM></P>
<P>To test it out, please exit your web browser, then restart it.  Visit
GovCon<SMALL><SUP>TM</SUP></SMALL> and try to access the Information Center.
You should not be prompted for your User ID and password as long as you visit
GovCon from this same computer and you do not delete the cookie data.  If
you are prompted for your User ID and password, then either your browser does
not support cookies or you entered your Used ID and password incorrectly
on the previous page.</P>};
}

&gc::copyright();

$req->cgi->exit();
--cut here--