Currently, front end 'security' is only for cosmetic purposes. A user who logs only sees those modules they are permitted to see.
A user will be required to log in:
Before each use (don't save login between sessions)
After a set amount of time, such as 4 hours
Currently, we use basic authentication as a placeholder.
Our requirements for authentication + communication are:
Users are only able to log in with correct user/password
Comunication is encrypted between client and server
Not vulnerable to man in middle attacks/spoofed server/