The first request to a protected page will produce an authentication prompt. Subsequent requests to the same site will automatically send the same set of credentials (in every browser I'm familiar with. This part of the spec seems to be optional ).
Using HTTP Basic Authentication, the server can track the user across different pages. All other state can be maintained on the server side, keyed to the user.
One way to handle logout (without closing the browser) is to have a logout link with a destination of "https://bad_username:firstname.lastname@example.org". I believe this causes the browser to forget the original (valid) credentials and attempt authentication with the invalid credentials. This will fail, and produce a new login prompt. Then you have to close the prompt, and close the subsequent "401" page.
So yeah, it is awkward.