1) Upon login, the user data is stored in the session. 2) Upon logout, that data is removed. 3) A servlet filter is established that is triggered for each page that must be protected. If the user data is in the session, the page is displayed. If not, the request is shuffled off to a login mechanism. 4) It's customary to remember where the user was trying to go and to redirect there after login.