Thank you for your reply.
The administrator will be uploading files to the directory via FTP. His access is controlled at that point.
Users need to sign up via a form and pay a fee. Once they are approved, they should be able to access all the CFM files in that directory via their browser.
Again, I have accomplished this for years by simply creating a session ID, and, at successful login protected every page individually:
<CFIF NOT IsDefined("Session.user_id")>
<cflocation url="login.cfm" addtoken="No">
<cfelse>
webpage
</cfelse>
but never had admins in control of uploading web pages that are unfortunately poorly coded and could never be responsible to add the above code to each page.
What is your advice?
Thanks again
Norman