One important feature for web sites is the ability to restrict access to part or all of the site. This is often used on subscription sites, such as online webzines or other members-only services. It's also used on administrative portions of web sites, as well as on secure sites for online banking and stock trading. Some online catalogs even require you to register with a username and password before you can order from them (a trend I don't recommend - if you want people to buy from you, you should make it as easy as possible, rather than force them to remember yet another username/password).

There are two kinds of user authentication. One is HTTP authentication; this is actually done by the web server itself. You create a .htaccess file (containing authentication instructions) in the web directory that you want to protect. Then whenever someone tries to access a web page in that directory, their browser presents a pop-up box that asks for their username and password.

The other kind of authentication is done by forms and CGIs, and often uses cookies to track user sessions. This is a much harder method to implement, as it requires you to add code to every page you want protected - and in fact, it will not protect basic HTML files or images at all, so you'd likely have to create CGIs to serve up your entire site (or do some other fancy server manipulation to make it work). You will need this method if you want to limit the amount of time a user stays online/idle, or to restrict logins so that a given user can't have more than one simultaneous login.

Also, if you have more than a hundred users accessing a hidden area, you should use a database (along with the appropriate mod_auth module compiled into the server) for lookups. The web server has to look up the username in the auth table for _every page_ that's being accessed, even after a user has logged in; if you use a flat password file for this, your server may get bogged down from excessive file I/O.