I&#039;m trying to use a membershipsystem to protect my admin-area. When a user logs in this happens:<BR><BR>&#039;Grab the submitted variables (page is the page they&#039;ve come from, set by the hidden variable at the login box)<BR>username = Request.Form("username")<BR>password = Request.Form("password")<BR>page = Request.Form("page")<BR>stayloggedin = Request.Form("stayloggedin")<BR><BR>if page = "" then<BR> page = "index.asp"<BR>end if<BR><BR>&#039;Check no s**t is trying to hack in using SQL commands<BR>if InStr(username, "&#039;") or InStr(username, """") or InStr(username, "=") or InStr(password, "&#039;") or InStr(password, """") or InStr(password, "=") then<BR> sqlflag = True<BR>end if<BR><BR>........<BR><BR>sql = "SELECT username FROM users WHERE username = &#039;" & username & "&#039; AND password = &#039;" & password & "&#039;"<BR>Set rsUser = Server.CreateObject("ADODB.Recordset")<BR>rsUser.O pen sql, conn, 3, 3<BR><BR>&#039;If there was a valid recordset there, then send them back to the page they came from, with the username cookie set<BR>If (not rsUser.BOF) and (not rsUser.EOF) and sqlflag &#060;&#062; True then<BR> Response.Cookies("username") = rsUser("username")<BR><BR> &#039;If the user wants to stay logged in all the time, then we&#039;ll set the cookie with a far-away expiry date<BR> if stayloggedin = "yes" then<BR> Response.Cookies("username").expires = #1/1/2010#<BR> end if<BR>---------------------------------<BR>Then the adminpages are protected by putting this piece of code at the top of them:<BR><BR>&#060;%<BR>if Request.Cookies("username") = "" then<BR> Response.Redirect("notuser.asp")<BR>end if<BR>%&#062;<BR><BR>--------------<BR>QUESTION: Is this a safe way to protect the pages? Would I increase the safety by using sessionvariables instead? It would be really great if I could get a response from someone with experience!