For handling access restriction to the members only pages, my basic idea is to assign a session id when the user logs in, and then simply add a check to each members-only page to ensure the session id has been set. If not redirect them, otherwise allow them access.
I am just wondering if this is too simple? How hard is it to exploit the session assignment?