I'd use php to check for a certain session id on the password protected page... if they don't have that session id then you send them to the password page. They input the password, if it's correct, then you create the necessary session and redirect them back to the page they were trying to get to in the first place.