PaulS:
If the user/pass is correct, you set an internal arduino variable to true or to the name of the user aka a session variable.
The user/pass may be correct for that client for that session. But, the connection with that client ends as soon as the server generates a response. If the client doesn't provide the "I'm an authorized user" token next time, how is the Arduino to know that it is the same client? The Arduino does not have any way of knowing that the same client is making another request, unless the client knows the magic phrase (which is something stored in a cookie, generally). And, the Arduino doesn't send cookies.
My setup is a one user interaction although not very secure. If somebody tries to see your site while you're logged on, they can.
If you want multiple users and something more secure: sessions work by creating a unique id (UID) for each visitor and store variables based on this UID. The UID is either stored in a cookie or is propagated in the URL. You'd store the session in an array rather than a variable on the arduino. The arduino can send the UID to the client and the client can create the client side cookie with Javascript. That way they can sync up.