Basic Authentication is the simplest way to go I think. It is,
AFAIK, supported in every browser. For most
OpenACS applications this would suffice, I think. It should not be
too hard to implement, and with some checking the authentication
mechanism could even be smart enough to use the forms/cookie
authentication for those that support it (i.e. give cookies back) or
use basic authentication (which pops up a dialog in the browser.)