diff --git a/base/web/web.go b/base/web/web.go
index a99c788c..708fe7fe 100644
--- a/base/web/web.go
+++ b/base/web/web.go
@@ -42,12 +42,25 @@ func Cookie(msg *ice.Message, sessid string) string {
 }
 func (web *Frame) Login(msg *ice.Message, w http.ResponseWriter, r *http.Request) bool {
 	if msg.Options(ice.WEB_SESS) {
+		// 会话认证
 		sub := msg.Cmd(ice.AAA_SESS, "check", msg.Option(ice.WEB_SESS))
 		msg.Info("role: %s user: %s", msg.Option(ice.MSG_USERROLE, sub.Append("userrole")),
 			msg.Option(ice.MSG_USERNAME, sub.Append("username")))
 	}
 
+	if (!msg.Options(ice.MSG_SESSID) || !msg.Options(ice.MSG_USERNAME)) && msg.Option("user.ip") == "::1" {
+		// 自动认证
+		msg.Option(ice.MSG_USERNAME, msg.Conf(ice.CLI_RUNTIME, "boot.username"))
+		msg.Option(ice.MSG_USERROLE, msg.Cmdx(ice.AAA_ROLE, "check", msg.Option(ice.MSG_USERNAME)))
+		msg.Option(ice.MSG_SESSID, msg.Rich(ice.AAA_SESS, nil, kit.Dict(
+			"username", msg.Option(ice.MSG_USERNAME), "userrole", msg.Option(ice.MSG_USERROLE),
+		)))
+		Cookie(msg, msg.Option(ice.MSG_SESSID))
+		msg.Info("user: %s role: %s sess: %s", msg.Option(ice.MSG_USERNAME), msg.Option(ice.MSG_USERROLE), msg.Option(ice.MSG_SESSID))
+	}
+
 	if s, ok := msg.Target().Commands[ice.WEB_LOGIN]; ok {
+		// 权限检查
 		msg.Target().Run(msg, s, ice.WEB_LOGIN, kit.Simple(msg.Optionv("cmds"))...)
 	}
 	return msg.Option("url") != ""
diff --git a/demo/build.sh b/demo/build.sh
index ceee6b75..83eb775b 100755
--- a/demo/build.sh
+++ b/demo/build.sh
@@ -23,7 +23,7 @@ END
     [ -f ${ice_sh} ] || cat >> ${ice_sh} <<END
 #! /bin/sh
 
-export PATH=\${PWD}/bin:\$PATH
+export PATH=\${PWD}/bin:\${PWD}:\$PATH
 prepare() {
     which ice.bin && return
     curl -s https://shylinux.com/publish/ice.bin -o bin/ice.bin