Much thanks indeed, Jason. I do appreciate your laying it out.
To solidify the understanding, may I check?
1 - Then each page that is restricted has some PHP, to check the session variable and enforce the rules?
2 - If WA uses SecurityAssist, for example for eCart, then SA is - to invoke one of the security standards of which I have become aware - PCI compliant? (I ask, since my client will ask, to get some sense for the level of security.)
3 - Then the little lock, which appears for an HTTPS page, is not relevant for these purposes?
Of course, we can distribute HTTPS links for those pages where we may want to protect transmissions. But the little lock, and related certificate, are not relevant for protection on the individual pages?
Again, I am appreciative of your laying it out. (Have indeed earlier gone through the two tutorials. They are most useful.)
I encourage anyone seeking to use SecurityAssist, who may read here later, to review the two tutorials thoroughly. Start with Jason's summary description, labeled entry #6 in the thread above, which then the User level tutorial particularly expands on exhaustively.
Again thanks, David