I am not saying use directory level permissions. My post does not assume a simple level of yes or no auth. I am saying use a session. If the user connects without a valid session pass him the the session creator. If the has access to the base app (via IP or whatever your base auth level is), then grant him a session and redirect back to the page he tried to hit. If the user then needs expanded access have a login page that verifies whatever auth you want and grants auth level tokens and stores them in his current session. This resolves the base users from getting user/pass auths while still allowing you to have fine grained auth privs for advanced users. Then your cgi can take a look at the session and form the pages and options to something that is acceptable for the auth privs that the session grants. Make sense?