This is my proposed security protocol for a secure application that does not require the use of the session object. I would greatly appreciate comment on the merits/flaws of this system.<BR><BR>When user logs into the system:<BR><BR>1)Validate the username and password from the db<BR><BR>2)If step 1 passes, create a unique sessionID(a 10-20 character string combination of alphanumeric values) and store it in the virtual_sessions db table along with this user’s ID<BR><BR>3)store the sessionID on the client as a cookie for matching to the database later<BR><BR><BR>When a user requests a secured page:<BR><BR>1)Grab the cookie and compare the value to the sessionID column in the database table. If there is a match, verify that the userid column of this field matches the userid stored in the cookie<BR><BR>2)If the expiration date has not passed, increment the expiration date of both the cookie and the dbTable by the sessionTimeout value (an arbitrary value) and allow the user into the application. If the expiration date has passed, delete the record in the "virtual_sessions" table, delete the cookie and deny access. (The UI will be responsible for redirection to a login form)<BR>