An approach that might work relies on "branding" each browser with a unique cookie value. (merlyn has an article that demonstrates how to do this.)

Once you can brand each browser, it's a matter of bookkeeping to ensure that only one browser is logged in at a time. The logic goes something like this:

• When a browser accesses a CGI in your "highlander" directory, the CGI first verifies that the browser has a unique id cookie. If unable to establish an id cookie, the CGI can deny service with an "Allow cookies!" message.
• Next, the CGI determines if anyone is already logged in. If so, the CGI spits back a "Sorry" response.
• If nobody is logged in, the browser presents a login form.
• When the form is submitted, the CGI first checks to see if anyone sneaked in in the meantime. If so, the CGI emits a "Sorry, not quick enough" response. Otherwise, the CGI verifies the username and password, then performs some bookkeeping to note that this particular browser is logged in. (There are race conditions here that you'll need to be careful with).
• When the CGI sees that the requesting browser is logged in, instead of a "login" form, it presents a "logout" button. When invoked, the logout action merely does a bit of bookkeeping to note that the given browser isn't logged in anymore.
• All access to "content" is via the same CGI. Keep the content in a directory that isn't web accessible.

-- Randal L. Schwartz, Perl hacker

Ok, do you know of some other options? I need to password protect a directory with only one person being able to use the contents at one time. Any ideas would be greatly appreciated.

Don't know about you, but for us the need to recompile Apache (on an old, no-longer-supported version of NCR Unix) was a show-stopper. We told the client that we could not do what they wanted without recompiling, and they said forget about it then.