As usual, there are so many ways to approach the problem. Here is something I've used before for "lightweight protection":
You can use a session variable to set a "flag" for the client. So, for example, if the client logs into the site properly, create a session variable
isLogged and set it to true (the value actually doesn't matter in this simple example since you're just going to check if it exists -- for more security, you can check the value). On each page,
test isLogged to see if it exists. If it is null, this means the client has not gone through the proper process to access the page.
So, in effect, if I simply cut and paste the url, when I access the page, you will check the session variable
isLogged, which will not exist so you will deny me access.
WS
[ March 12, 2004: Message edited by: Winston Smith ]