CompleteFTP supports both public HTTP access to files, and authenticated access to files. HTTP directory listings are also supported (if listing permissions are in place).
For public (unauthenticated) access, the "anonymous" user (which may be found in Users panel and by selecting "Show system users/folders/sites" in the main form's Options menu) must be enabled and the "Public HTTP access enabled" setting must be checked. Only the files accessible by the anonymous user can be viewed publicly via HTTP (i.e. by a web browser without logging in). When the server is being accessed publicly the root of file-system is always the anonymous user's home directory, thus http://hostname/index.html maps to /Public/index.html in the virtual file-system, assuming that /Public is the anonymous user's home directory (the default). Any access to a path that is not accessible to the anonymous user will result in an authentication request (i.e. login dialog in the browser). The user will thus be given a chance to authenticate. Alternatively, the default index.html file has a Login link that can be used to login (or this link, /login, can be placed on any page desired).
A particular user's files can be accessed via HTTP if the user is authenticated. For example, the user 'javaftp' normally has their files accessible under '/home/javaftp' (as long as the General User Setting User's home folder appears as root is not selected). So all of the 'javaftp' user's files will be accessible via 'http://hostname/home/javaftp/filepath'. When an attempt is made to navigate to this URL in a web browser, an authentication dialog will be popped up by the browser, and the 'javaftp' user's credentials can be entered and a session established. Note that in HTTP all data sent to the server is not secure, especially usernames and passwords. If User's home folder appears as root is enabled, the authenticated user's files are accessed ia 'http://hostname/filepath', i.e. the '/home/javaftp' part of the URL is not required. The login url http://hostname/login can be used to authenticate if necessary.
HTTP sessions are maintained by a cookie stored in the browser. The timeout for HTTP sessions can be set in Limits & Timeouts (in Settings). A session can also be terminated by navigating to http://hostname/logout, and can be initiated by navigating to http://hostname/login.