As for the login, here is what I do.
what you do is create an intermediary asp page that the user will never show, because the only thing it does is validate the username and password. If it's not ok then it does what it has to do, but if the login IS correct, then it store a variable that says the user is alright (like access or username and password for example). You do it simply like this

session("Access") = "ok" ' or anything else...

At each start of page now, you check the status of the session("Access") variable, if it's different than "ok", you redirect to a page that tell that the access is denied.

Two things to consider :
1.The browser must support per-session cookies, if you check in IE option, you will see two type of cookies, some that are stored into the client and some that are not. Sessin Cookies are those that are not stored. In your denied page, you can state a message for that.
2.when assigning the session("Access") object, the session is started and is close after a certain amount of idle time. After that time the user will be denied access and will have to login again. You can set the Session.timeout object = whatever time you want that to happen in minutes. don't put zero though because it sorta disable the session...