The best approach is to stop "rolling your own" login and entry system. Instead, use something like
Introduction to Membership[
^] as that handles the security for you, including forbidding access to pages the user isn't allowed into, and making him log in first if he tries to access a page without permission.
You can add your own Custom Membership provider if you have special business rules to work with for the actual login.