> but in the img tag, try src="display_image.php?id=anId" > and in display_image.php, test if the user is authorized before displaying the image. > Then a direct call to display_image.php?id=anId would still have a chance to authenticate the user. Forgot to reiterate: Keep the images where only PHP can read them. If you have the images in a file or a database, use header, and echo or fpassthru on the data. Something like "jan at anh dot sk" http://php.he.net/image _________________________________________________________________ Windows Live Hotmail and Microsoft Office Outlook – together at last. Get it now. http://office.microsoft.com/en-us/outlook/HA102225181033.aspx?pid=CL100626971033 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php