a meta refresh would not work.

You'd have to send out the real content only in case the cookie is ok. Otherwise, redirect. If the users stop the redirect, they'll just get nothing... no content and no login page.

Using the SSI as the first thing called should allow the redirect to happen before the protected content is loaded.

As I said, I'm no SSI expert, but some quick googling seems to confirm my understanding (that it shouldn't).  But maybe someone else knows the trick to make it work...