That is one way, and I agree it's ugly, but Apache came out with form-based authentication in version 2.4, https://httpd.apache.org/docs/2.4/mod/mod_auth_form.html

Oh thanks! That's nice.

In my app, I use basic auth in place of captcha.

Every useragent going back to IE3 and NN1 support it.

I then set a cookie, and users never see the prompt again.

Cookies are sent on the first request, before auth happens.

In my extensive testing, even the most "non-techy" people are able to complete this task, while most bots fail at it.

If any bots start getting through, I can change the password.

For visitors I haven't met yet, I can give out guest credentials on the 401 page.

This Firefox extension adds a logout button:

https://addons.mozilla.org/en-US/firefox/addon/http-auth-enh...