" the two page includes the login page...."
Actually, if I read your explanation as you intended, that's exactly what I'm urging you to avoid.

1. Create a default, static "index.html (.asp. .net, whatever)" FOR EVERY VISITOR which includes a link to "login.cgi"
2. Have login.cgi's (separate) action script (call it "login_test.cgi") check the uname and pw against whatever you're using for your "approved members" list
     ...if successful,
   call "application_page1.cgi"
     } else {
     ...call "page2.html" which announces "login failed" or similar (as in my initial reply) and provides a link to the default ("index.html" or whatever).

You can, without dangerously deviatating from my schema, have login_test.cgi's failure action send a user who entered the wrong credentials directly back to index.html without any explanation, but that's unkind to the maker of an innocent error.

Please excuse my assumptions about your intent; I've been known to err (but with good intent) in that area.