I'd like some feedback on an idea for password login. First, let's review the common PW/login methods and their disadvantages:

1. HTTP authentication makes it hard to log out (you must close all windows). If the user just leaves/closes a protected page he may forget that he's still logged in.

2. Submitting a password through a form must be redone every time, which can be tedious in applications requiring multiple form submissions. You can store the user's login state with a cookie, but that adds cookie dependence.

My idea is the same as (2) above, but instead of using a cookie the server script would print a hiddden form field with a random value after the user first logged in with his original password. Subsequently the script would print a new random value every time a new form page was printed.

Would this be unacceptably insecure? Someone else may in theory copy the source of such a page (and use it quickly before the legitimate user made the current random value obsolete), but a cookie can be copied too, or someone may watch you typing the original password on your keyboard.

(I think it helps not to say "print" if you just mean writing the html document.)

Define "random"! If you add a session identifier to the parameters passed, then this has the same effect as using cookies, and essentially just as reliable. It's not "secure" any more than cookies are secure over http, because in principle anyone could read the information by packet sniffing. But I can't see anything obviously wrong with doing it this way.