I find it's easier if you just pretend that the session is always there (just create a session when one is requested), and then when the user logs in put some token in the session indicating what user it is (like the user id or login name).

in the pages that require a valid user you only need to check whether the session contains a valid user id or redirect back to the login page (or give an error)

This also means that you can use the session for other user state, even when they're not logged in.