...
Our architecture will be to evalute execute all dynamic content as the uid of the content owner, not as the httpd account. There are a variety of technologies to do this with; so far the best option appears to be a combination of the built-in Apache httpd suexec mechanism and FastCGI. In the future, httpd 2.x may provide more comprehensive support for this architecture, allowing httpd worker processes to adopt the uid of the content owner and then process content through standard mechanisms such as mod_php. Idle worker processes could be reused if they match the target uid of a new request, eliminating the need for FastCGI.
There is one notable downside to executing dynamic content as the uid of the content owner: an attacker who compromises a web application will have write access to the content owner's entire account, and not just the files which must be writable to web applications. To solve this problem, ideally there would be two uids per user: one for login access, the other for execution of dynamic web content. The uids would live within the same group (otherwise unique) so that group permissions could be used to regulate read and write access for dynamic content. Unfortunately, this model is probably too exotic to implement using standard tools.
3c. Cookie theft and cookie injection
...