Having posted an answer here, I found that you had posted this question more than once... Please don't post your question in multiple places. Rather, post the question in one forum, and post the URL in the other fora.
All: please see http://p2p.wrox.com/topic.asp?TOPIC_ID=61844
What I do in my internet app is this.
Users have an Oracle account as a feature of being a user.
When they submit their login and password, I use those credentials to try to communicate with Oracle. If Oracle accepts the communication, I keep the credentials. If not, I send back a webpage indicating that the credentials were no good.
You can try to communicate with the DB within your login form. If that fails, just don't move to the next form.
I do have user access configuration within the databse. If their login was successful, I go get their privileges, and give them controls (links in my case) to access the parts of the app that they have permission to access. You, of course, can have a variety of access controls (buttons, entries in listboxes, whatever), and can make them visible or not based on privileges, or you can have different forms for different classes of users. (Having multiple forms can be tough if the forms have similar features. If you make a change to a shared feature, you have to modify every form with a sililar feature... can be tedious.)
This answer is technology independent—these are approaches, and they would be implemented differently in different languages.