You're going to have to bend your constraints a bit to make this work. First, give up on basic authentication. It does nothing to prevent multiple people from being logged in simultaneously.

An approach that might work relies on "branding" each browser with a unique cookie value. (merlyn has an article that demonstrates how to do this.)

Once you can brand each browser, it's a matter of bookkeeping to ensure that only one browser is logged in at a time. The logic goes something like this:

• When a browser accesses a CGI in your "highlander" directory, the CGI first verifies that the browser has a unique id cookie. If unable to establish an id cookie, the CGI can deny service with an "Allow cookies!" message.
• Next, the CGI determines if anyone is already logged in. If so, the CGI spits back a "Sorry" response.
• If nobody is logged in, the browser presents a login form.
• When the form is submitted, the CGI first checks to see if anyone sneaked in in the meantime. If so, the CGI emits a "Sorry, not quick enough" response. Otherwise, the CGI verifies the username and password, then performs some bookkeeping to note that this particular browser is logged in. (There are race conditions here that you'll need to be careful with).
• When the CGI sees that the requesting browser is logged in, instead of a "login" form, it presents a "logout" button. When invoked, the logout action merely does a bit of bookkeeping to note that the given browser isn't logged in anymore.
• All access to "content" is via the same CGI. Keep the content in a directory that isn't web accessible.

You're still going to have to deal with logging out users who log in, then wander off to dinner. The CGI can do this by including a "last accessed" timestamp for the logged-in user, logging them out if the timestamp gets stale.