The way I've seen most successfully done is this:
- Have a set of runmodes that do what you want. They do not worry about security.
- Have a standard login page.
- Use the cgiapp_prerun() method to check if the person is logged in correctly. If they are not and they requested a page that requires being logged in, redirect them to the login page.
- Otherwise, you don't do anything. The user was validated correctly, so the normal flow of events should continue. I.e., the page requested should be rendered.
Your idea about having a separate file and all that ... why be so complicated? cgiapp_prerun() cannot be circumvented by the user. Your method, theoretically, can be, especially if you call another cgi script and return its return value.
Being right, does not endow the right to be rude; politeness costs nothing.
Being unknowing, is not the same as being stupid.
Expressing a contrary opinion, whether to the individual or the group, is more often a sign of deeper thought than of cantankerous belligerence.
Do not mistake your goals as the only goals; your opinion as the only opinion; your confidence as correctness. Saying you know better is not the same as explaining you know better.