Need Help writing 'Check Authorization' script

phence

I have been working on a client section for my web site. I have allready developed a few scripts.
First being, a customer 'join' script, which gathers and stores client personal data in a mysql database called 'clients'.
Second being, a cutomer login script which checks a users supplied username and password to agianst the results in another mysql database called 'users'. If there is a match the user is forwarded to their personal client page.

My problem now is, anyone who types in the URL to the clients page can still access it.

I need a scriptlet that can check if the user has been authorized (logged in) or not. If they are not authorized send them to the login page. If they are authorized display the page they attempted to access.

If anyone could help I would greatly appreciate it.

Here is the login script , if it helps

<?php

include 'include.inc';

set_error_handler("errorHandler");

function check_login($loginUsername, $loginPassword)
{
  global $username;
  global $password;
  global $hostName;
  global $databaseName;
  global $message;

  // Get the two character salt from the 
  // user-name collected from the challenge
  $salt = substr($loginUsername, 0, 2); 

  // Encrypt the loginPassword collected from 
  // the challenge
  $crypted_password = crypt($loginPassword, $salt);

  // Formulate the SQL find the user
  $query = "SELECT password FROM users WHERE user_name = '$loginUsername' AND password = '$crypted_password'";

  // Open a connection to the DBMS
  if (!($connection = @ mysql_pconnect($hostName,  $username, $password)))
     showerror();

  if (!mysql_select_db($databaseName, $connection))
     showerror();

  // Execute the query
  if (!($result = @ mysql_query($query, $connection)))
     showerror();

  // exactly one row? then we have found the user
  if (mysql_num_rows($result) == 1) 
  {
     // Register the loginUsername to show the user is logged in
     session_register("loginUsername");
     $_SESSION["loginUsername"] = $loginUsername;

 // Clear any other session variables
 if (session_is_registered("errors"))
    // Delete the form errors session variable
    session_unregister("errors");

 if (session_is_registered("formVars"))
    // Delete the formVars session variable
    session_unregister("formVars");

 // Do we need to redirect to a calling page?
 if (session_is_registered("referer"))
 {     
    // Then, use it to redirect
    header("Location: {$_SESSION["referer"]}");

    // Delete the referer session variable
    session_unregister("referer");
    exit;
 }
 else
 {
    // Send them to thier own personal Members Directory!  
	header("Location: members.php?id=$loginUsername");
    exit;
 }
  }
  else
  {
     // Ensure loginUsername is not registered, so the user
     // is not logged in
     if (session_is_registered("loginUsername"))
        session_unregister("loginUsername");

 // Register an error message
 session_register("message");
 $_SESSION["message"] = "Username or password incorrect. Login failed.";

 // Show the login page
 // so the user can have another go!
 login_page();
 exit;
  }        

}

// Function that shows the HTML <form> that is 
// used to collect the user-name and password
function login_page()
{
  ?>
<!DOCTYPE HTML PUBLIC 
    "-//W3C//DTD HTML 4.0 Transitional//EN"
    "http://www.w3.org/TR/html4/loose.dtd" >
  <html>
  <head>
     <title>Login Page</title>
  </head>
  <body bgcolor="white">
<?php
  // Show login status (should be logged out!)
  showLogin();
?>
    <h2>Login Page</h2>
    <form method="POST" action="login.php">
<?php
  // Show messages
  showMessage();

  // Generate the login <form> layout
  ?>
<table>
<tr>
    <td>Enter your username:</td>
    <td><input type="text" size=15 maxlength=30 name="loginUsername"></td>
</tr>     

<tr><td>Enter your password:</td>
    <td><input type="password" size=15 maxlength=8 name="loginPassword"></td>
</tr>
<tr>
    <td><input type="submit" value="Log in"></td>
</tr>
</table>
</form>
</body>
</html>
<?php
}

// ------------------

// Initialise the session
session_start();

if (isset($_POST["loginUsername"]))
   $loginUsername = clean($_POST["loginUsername"], 30);

if (isset($_POST["loginPassword"]))
   $loginPassword = clean($_POST["loginPassword"], 12);

// Check if the user is already logged in
if (session_is_registered("loginUsername"))
{
  // If they are, then just bounce them back where
  // they came from
  if (session_is_registered("referer"))
  {
     session_unregister("referer");
     header("Location: $referer");
     exit;
  }
  else
  {
     header("Location: index.html");
     exit;
  }
}

// Have they provided only one of a username and password?
if ((empty($loginUsername) && !empty($loginPassword)) || (!empty($loginUsername) && empty($loginPassword)))
{    

     // Register an error message
     session_register("message");
     $_SESSION["message"] = "Both a username and password must be supplied.";
}

// Have they not provided a username/password, or was there an error?
if (!isset($loginUsername) || !isset($loginPassword) || session_is_registered("message"))
  login_page();
else
  // They have provided a login. Is it valid?
  check_login($loginUsername, $loginPassword);
?>

penguinboy

here is something i use

session_start();
if(!$_SESSION[CLIENTID]){header("Location: logout.php");exit;}

in my validation page i store a client id in the session, so if there is not a Client ID it just boots them back to the login page