If the user/pass is correct, you set an internal arduino variable to true or to the name of the user aka a session variable.
The user/pass may be correct for that client for that session. But, the connection with that client ends as soon as the server generates a response. If the client doesn't provide the "I'm an authorized user" token next time, how is the Arduino to know that it is the same client? The Arduino does not have any way of knowing that the same client is making another request, unless the client knows the magic phrase (which is something stored in a cookie, generally). And, the Arduino doesn't send cookies.