Timothy D. Morgan has published an excellent paper describing

How UI limitations hinder adoption of HTTP based authentication

How UI behaviors are/can be abused pertaining to HTTP auth

Observations on Cookie limitations

Proposals for browser vendors to allow for more widescale adoption of HTTP based auth such as digest

From the paper

"In this paper, we compare the security weaknesses and usability limitations of both cookie based session management and HTTP digest authentication; demonstrating how digest authentication is clearly the more secure system in practice. We propose several small changes in browser behavior and HTTP standards that will make HTTP authentication schemes, such as digest authentication, a viable option in future application development."

One of the better papers I've read in a long time and certainly worth checking out if you consider yourself an HTTP haxor.

Paper: http://www.vsecurity.com/download/papers/WeaningTheWebOffOfSessionCookies.pdf