The Cookie Is the Answer
So, what technique do I use? I use a simple cookie. When the page "login.asp" authenticates the user, it places a small cookie with a pre-determined value on the user's computer:
Response.Cookie("SomeCookieName") = "SomePreDeterminedValue"
Each of the subsequent pages, simply check the value of the cookie. If the cookie value matches what it is expecting, it allows the user to proceed:
If Request.Cookies("SomeCookieName") <> "SomePreDeterminedValue" Then
' - or in Windows 2000, this is better code
' - Server.Transfer "login.asp"
... The rest of the page's code here
The key to this technique working is to set the cookie value without specifying an expiration date. This automatically deletes the cookie when the user closes the browser session. So, if the user has been authenticated today and comes back tomorrow, or even 10 minutes after closing the browser, the cookie value will have been deleted and they will be forced to log in againas they should be. And returning to our earlier scenario, the public library lurker, who is using a machine just vacated by a legitimate user, and is typing in the URL for your secure pages, will be told to log in again.