Every secured page should have some header code like this:
If Not Session("LoggedIn") Then
Response.Redirect "login.asp?r=" & Server.UrlEncode(Request.ServerVariables("SCRIPT_NAME"))
End If
I typically put this into an include file called "private.asp" and make sure to include it at the top of every page that should be secured.
In your login page, after you've successfully logged in the user, check your querystring value to see if you should forward the user back to an originally requested page:
' After successful login...
strReturnURL = Request.QueryString("r")
If Len(strReturnURL) > 0 Then
Response.Redirect strReturnURL
Else
' Send them to your homepage...
Response.Redirect "/"
End If