At the start of every webpage, check if the session is still active.
If someone is logged out they will not be allowed access to that page and sent back to the login screen.
Sessions persist across webpages.
The login page sets it and EVERY page checks to see if it was valid.
This means someone cannot enter the address of the member pages directly to bypass the login.