This is very helpful thanks. You see I didn't even know about this REMOTE_USER env var but now you've mentioned it, this gave me something to home in on.

I have now managed to find several pages of the sort that I needed to read, giving me the basics. In particular, for the record, this page is excellent.

So the answer seems to be that the choices are either to authenticate using basic http authentication or via cookies. Cookies means doing some of the authentication work myself and from my perspective is therefore to be avoided. http has some pitfalls but they can be worked around. Having authenticated, I can use the REMOTE_USER variable in my script and using the ideas of mapping to roles above can then get my scripts to display different things according to the role being used.

That is good enough for the basic effort I have in mind but of course I will also take note of the advice given above on SQL injection and user paranoia.