So what I did is added support for cookies. Basically in the http_parse_request() I created a callback that I call which passes header to the call back. In the function I get the cookie for a session ID, and return a redirect if the current user is not logged in.
When the user connects the callback checks the session ID cookie and the remote IP port for match, if they do not match current logged in person I redirect them to login page. The login page assigns them a new random session id and lets them enter password. If password matches then I store their session id and IP address as being logged in. The reason for IP address is that when login screen is shown, if someone is logged it it will inform user they will kick off that person at IP address xx.xx.xx.xx. Yes if connection is through a router/NAT then everyone will have same IP, but not my use case.
This works well except for calls where I am just requesting JSON values. Here I had to change HTML/_javascript_ to know that the JSON failed due to being logged out and redirect them to login page.
Trampas