I have played with the basic auth method but the thing that puts me off is that there is no clear cut way to log the user out - as far as I can tell the browser stays authed until it quits.

Am I missing something here?

My prefered way to auth is to send the user through a login page and then to set a cookie with the user's name and a token on it. This token is something like "ahe67pnjr8" and is selected at random at the login. To confirm the user the token from the cookie is compared to the token in the database.

This makes logging out easy as all you need to do is change the token in the database and the user's cookie becomes worthless. Can a similar thing be acheived with basic auth without changing the users password?