Something between normal auth and external auth?

Forgive me if this is a poorly researched question - I’ve set up rt a few
times (pre 1.0 and 2.0 branches) and spent the last several hours going
through the last few months of email archives for related stuff but I’m not
finding what I was hoping for…

I understand that RT has two methods of handling authentication:
1. Everything internal to RT and its database.
2. Everything external to RT except the username, with whatever the
web server sets as REMOTE_USER used for identifying the user but
authentication happening externally.

…and further that using #2 means no logout functionality is available
because of http’s stateless nature.

I’d appreciate thoughts, warnings, pointers to starting places on an
middle-ground approach: Having RT call an external script for authentication
directly, then managing the session as though it had done normal internal
authentication, keeping the logout functionality available and requiring no
additional support in the web server process.

For everyone the benefit would be having the ability to a let a user ‘log
out’ while still using external authentication. For my specific case, there
would be additional benefits, not the least of which is not needing to
maintain a manually compiled Apache install to support RT.

Without having looked at the RT code at all, I’m assuming that when RT isn’t
using external authentication, it does a process similar to:
1. If there’s no valid session cookie, then request user
2. Check user credentials against database.
3. Assuming the creds were ok, set a session cookie and permit

And that the code performing step 2 is what would need to be expanded.

Has someone already done that? Am I missing something as to why it wouldn’t