+ you can call the daemon with RPC-JSON calls via HTTP (no login at all ... state-less)
+ AND you can have a keep-alive (authenticated) connection with websockets (including web notifications)
+ different websocket APIs (sub set of calls) can be configured to require different logins
So, what exactly is the problem?