diff --git a/auth/middleware.go b/auth/middleware.go
new file mode 100644
index 0000000..ac5a7a2
--- /dev/null
+++ b/auth/middleware.go
@@ -0,0 +1,187 @@
+// auth/middleware.go
+package auth
+
+import (
+    "crypto/subtle"
+    "net/http"
+    "time"
+)
+
+type AuthMiddleware struct {
+    username string
+    password string
+    sessions *SessionManager
+}
+
+func NewAuthMiddleware(username, password string, sessions *SessionManager) *AuthMiddleware {
+    return &AuthMiddleware{
+        username: username,
+        password: password,
+        sessions: sessions,
+    }
+}
+
+func (a *AuthMiddleware) Login(w http.ResponseWriter, r *http.Request) {
+    if r.Method == "GET" {
+        a.serveLoginPage(w)
+        return
+    }
+    
+    if r.Method != "POST" {
+        http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+        return
+    }
+    
+    username := r.FormValue("username")
+    password := r.FormValue("password")
+    
+    // 使用常量时间比较防止时序攻击
+    usernameMatch := subtle.ConstantTimeCompare([]byte(username), []byte(a.username)) == 1
+    passwordMatch := subtle.ConstantTimeCompare([]byte(password), []byte(a.password)) == 1
+    
+    if usernameMatch && passwordMatch {
+        sessionID := a.sessions.Create(30 * time.Minute)
+        
+        http.SetCookie(w, &http.Cookie{
+            Name:     "session_id",
+            Value:    sessionID,
+            Path:     "/",
+            HttpOnly: true,
+            Secure:   true,
+            SameSite: http.SameSiteStrictMode,
+            MaxAge:   1800,
+        })
+        
+        http.Redirect(w, r, "/", http.StatusSeeOther)
+        return
+    }
+    
+    // 登录失败，延迟响应防止暴力破解
+    time.Sleep(2 * time.Second)
+    http.Redirect(w, r, "/login?error=1", http.StatusSeeOther)
+}
+
+func (a *AuthMiddleware) Logout(w http.ResponseWriter, r *http.Request) {
+    cookie, err := r.Cookie("session_id")
+    if err == nil {
+        a.sessions.Delete(cookie.Value)
+    }
+    
+    http.SetCookie(w, &http.Cookie{
+        Name:     "session_id",
+        Value:    "",
+        Path:     "/",
+        HttpOnly: true,
+        Secure:   true,
+        MaxAge:   -1,
+    })
+    
+    http.Redirect(w, r, "/login", http.StatusSeeOther)
+}
+
+func (a *AuthMiddleware) Require(next http.Handler) http.Handler {
+    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+        cookie, err := r.Cookie("session_id")
+        if err != nil || !a.sessions.Valid(cookie.Value) {
+            http.Redirect(w, r, "/login", http.StatusFound)
+            return
+        }
+        next.ServeHTTP(w, r)
+    })
+}
+
+func (a *AuthMiddleware) serveLoginPage(w http.ResponseWriter) {
+    html := `<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="UTF-8">
+    <title>Login - Secure Site Proxy</title>
+    <style>
+        * { margin: 0; padding: 0; box-sizing: border-box; }
+        body {
+            font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
+            background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
+            min-height: 100vh;
+            display: flex;
+            align-items: center;
+            justify-content: center;
+        }
+        .login-container {
+            background: white;
+            padding: 40px;
+            border-radius: 10px;
+            box-shadow: 0 10px 40px rgba(0,0,0,0.2);
+            width: 100%;
+            max-width: 400px;
+        }
+        h1 {
+            text-align: center;
+            margin-bottom: 30px;
+            color: #333;
+        }
+        .form-group {
+            margin-bottom: 20px;
+        }
+        label {
+            display: block;
+            margin-bottom: 5px;
+            color: #555;
+            font-weight: 500;
+        }
+        input {
+            width: 100%;
+            padding: 12px;
+            border: 2px solid #e0e0e0;
+            border-radius: 5px;
+            font-size: 14px;
+            transition: border-color 0.3s;
+        }
+        input:focus {
+            outline: none;
+            border-color: #667eea;
+        }
+        button {
+            width: 100%;
+            padding: 12px;
+            background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
+            color: white;
+            border: none;
+            border-radius: 5px;
+            font-size: 16px;
+            font-weight: 600;
+            cursor: pointer;
+            transition: transform 0.2s;
+        }
+        button:hover {
+            transform: translateY(-2px);
+        }
+        .error {
+            background: #fee;
+            color: #c33;
+            padding: 10px;
+            border-radius: 5px;
+            margin-bottom: 20px;
+            text-align: center;
+        }
+    </style>
+</head>
+<body>
+    <div class="login-container">
+        <h1>🔒 Secure Login</h1>
+        <form method="POST" action="/login">
+            <div class="form-group">
+                <label for="username">Username</label>
+                <input type="text" id="username" name="username" required autofocus>
+            </div>
+            <div class="form-group">
+                <label for="password">Password</label>
+                <input type="password" id="password" name="password" required>
+            </div>
+            <button type="submit">Login</button>
+        </form>
+    </div>
+</body>
+</html>`
+    w.Header().Set("Content-Type", "text/html; charset=utf-8")
+    w.Write([]byte(html))
+}