Passwords are fine for web interfaces that have php and 'sessions' behind them, but these are not available with an arduino.
Do you know how PHP manages sessions? Effectively, the "authorized" token is passed as part of every request. The server decides which clients are authorized (typically based on the user having an ID and knowing the proper password), and gives the client an "authorized" token, which the client than passes as part of every GET request.There is no reason that the Arduino can't generate an "authorized" token, and can't check for an "authorized" token as part of each GET request.
I suppose I could have an explicit 'logout' button.But that requires the user to never be lazy or forgetful.
Could start an arduino session timer but then the tension is making the session long enough without providing a window of opportunity for hackers and making the session too short and a pain in the arse for users.