I have built a site based on mostly querystrings and hidden form fields to pass data, with a few session vars. The session vars are eventually put into querystrings and sent that way around the site, which is where my questions come up. First of all, I shouldn't even use the session vars if I am not going to make them usable throughout the scope of the site, but I think I need to rebuild the site so that it is based on session variables for this reason... I have a logout script that simply runs session.abandon, but the user is able to hit the back button after logging out and the querystring vars are still live. They are still alive b/c a session.abandon isn't going to kill a querystring variable... correct? I have read up on all of the caching issues that come into play too... but my question is, should I rebuild the entire site around session vars so that the user can't just hop back into the site after logging out? And how important is this for security reasons to not allow a user to just click back and be right back into the site?? Advice is greatly appreciated, b/c the site runs fast and fine, but I am a little concerned about the logging out issue!!