I've been reading up on login mechanisms using redirects, and have a basic mechanism down. a1.php: <?php $site_title='My Site'; if (isset($_SESSION['errmsg_s'])) {$errmsg = 'Warning! '.$_SESSION['errmsg_s'].'!';} else {$errmsg = ''; } if (isset($_SESSION['email_s'])) { unset($_SESSION['email_s']);} echo '<h1>Welcome to '.$site_title.'</h1><br>'; echo $errmsg; ?> <!-- form goes here and calls a2.php --> a2.php: <?php $email = $_POST['email']; if // (test email for goodness against database) { $_SESSION['email_s'] = $email; unset($_SESSION['errmsg_s']); // stuff successful login into database session_write_close(); header('Location: a3.php'); exit;} else { $_SESSION['errmsg_s']="Re-enter your email"; unset($_SESSION['email_s']); session_write_close(); header('Location: a1.php'); exit;} ?> a3.php: <?php if (empty($_SESSION['email_s'])) { session_write_close(); header('Location: a1.php'); exit;} $email = $_SESSION['email_s']; echo 'Hello there,'.$email.'. We are glad to have you here.<br>'; ?> OK, looks like this handles refresh (resubmit) and back button issues. Hitting back when on page 3 empties 'email', so resubmitting does a brand new login. (If I'm missing something, holler.) However, the seminal article at http://www.theserverside.com/tt/articles/article.tss?l=RedirectAfterPost says: - Never show pages in response to POST - Navigate from POST to GET using REDIRECT - Always load pages using GET I get the first and the second, and understand how to implement them. The third, though. Sorry, I'm missing something. I simply don't understand what they mean or how to do it. Can someone translate my little a3.php page into 'using GET' instead of just grabbing the session var again? And why is that necessary? (P.S. I'll get to the issue of rearchitecting this via require instead of using header() redirects,cough, cough, Richard Lynch, cough, cough :) in a future message. One step at a time...) -- RE, Chicago -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php