You should at least check the IP of the client additionally to have some prove it is the same client you gave the session-ID. And it is better to put the session-ID in a POST-field than in GET. So it es very unlikely someone passes a session ID around accidently. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php