So what I did is added support for cookies. Basically in the http_parse_request() I created a callback that I call which passes header to the call back. In the function I get the cookie for a session ID, and return a redirect if the current user is not logged in.
When the user connects the callback checks the session ID cookie and the remote IP port for match, if they do not match current logged in person I redirect them to login page. The login page assigns them a new random session id and lets them enter password. If password matches then I store their session id and IP address as being logged in.