From Renee Poutissou, elog, 1 November 2002
http://midtwist.triumf.ca:8081/EL/021101.359?exp=twist

The security between web server and browsers is done with cookies. 
If a browser requests a page from mhttpd without a cookie, the web
server asks to enter a password. If the password entered is valid, 
the server returns a cookie with a 24 hour valid period. This is kept
by the browser. If the browser is restarted within the 24 hour period, 
it will send the cookie along with the request.