The isapi authentication filter includes a feature that greatly simplifies tracking an authenticated user through multiple pages of a web site.
On every request for a file in the protected area a custom header is inserted into the request. The request is accessible from dynamic pages as the cgi variable 'HTTP_USER'. This eliminates the usual need for developers to track users via url variables, hidden forms variables or cookies ...
By definition, a web site that is successful in attracting traffic offers content that is attractive and thus, of some value to the targetted user. If the site is freely accessible to the public at large, there are usually no problems.
However, if site access is restricted, there will always be those who try to gain access to the protected materials without proper authorisation. A prime example is paid subscription sites. While value and cost can both be denominated in currency, there are always those who will want the value without the cost. What this really says is that the more successful a membership site is, the greater the attraction to those who want the content without paying. This is the domain of hotlinkers, password hackers and password traders ...