I've never found Apache's http access control very useful, because of this behavior. Instead, I use PHP's sessions, which works 100% of the time. It's easy, manages the cookie data I want to be able to carry between parts of a website, and actually clears the session when you destroy it.

Thanks to everyone who replied. The PEAR Auth didn't do what I wanted so I couldn't use it in the end.

I want to try MOD AUTH MYSQL, the idea is to do a normal database login but for the parts of the site that are public but have private elements I'd like to have certain folders have .htaccess security that checks the person is logged in. Mod_auth_mysql is already installed on the server so all I have to do is set the login info during the login.

In the login I'm setting the username like this...

$PHP_AUTH_USER = $username;
or
$_SERVER['PHP_AUTH_USER'] = $username;

but a check to see if its been set it fails. Can anyone tell me if I have to do something on top of what I've just posted?

Thanks