[eluser]kurucu[/eluser]
If you autoload the session library, a session is actually started for every unique visitor.
Then, in your code, you can mark a unique user as logged in once they have succesfully completed and submitted your login form, with
Code:
$this->session->set_userdata('userid', $user_id_from_authentication);
Somewhere in your members area controller, you can:
Code:
if( $this->session->userdata('userid') === FALSE )
{
redirect('/not/allowed');
}
The session library (or is it a helper?) returns false if a userdata variable has not been set, hence the code above. When a user logs out be sure to unset 'userid' and/or any other variables you set for the user session.
What I would suggest is that you at least turn on cookie encryption, and preferably database variable storage. The least information sent about authentication over the network, the better.