$LOGGED_IN = TRUE;
That worked fine, up until I realized that when I appended an argument to the URL, I could spoof the log-in mechanism (as in http://www.negativetwenty.com/index.php?LOGGED_IN=TRUE).
This obviously is not good. So I consulted my good friend phpinfo() for an answer. As it turns out, this issue is much easier to fix than I would have thought.
if($HTTP_SERVER_VARS["argc"] != 0) // If someone is trying to pass an argument
Header("Location: $PHP_SELF"); // Then reload the page argument-free
blah . . . // Otherwise load page normally
Since this uses internal PHP variables, I believe it is web server independent, but I'm not sure about that. It apparently works fine on apache and IIS, which are the two big web servers in usage today.
Hope this helps someone else out. Let me know if you have any issues with it.