why not pass things through method = post instead of method = get?
Then the user would not know that there exists pageid=1 or pageid=2 -
it's all invisible because you're not passing items along the query
string and they won't be able to modify whether they're pageid=1 or 2
because it's all in the back end

Thanks for the suggestion, unfortunately that will not solve my
problem.
I cannot build user authentication into the application itself, so I
need a 3rd party method of restricting access to certain pages. The GET
method using URL parameters is the only thing that differentiates one
page from another, so hiding them would only make life more difficult.

Most authentication software (IIS Protect, Authentix, etc) uses the
directory structure or specific file name to restrict user access. In
my case thats innapropriate as I have one file and one directory
structure.

I need an authentication software that can identify URL parameters as
well as files and directory structure.