I'm trying to implement Logon scheme. Have Logon.asp page that passes username and password to validate.asp. validate.asp checks against db and if they are valid redirects them. I set the Session variable in validate.asp after validation. Works great. <BR><BR>One big problem. How do I protect validate.asp??? I can't put the protection include file at the top of that to check for login because they aren't logged in yet. I set the Session variable at the end of the validate script. So they can view the source in the Logon page and browse to validate.asp and just go right to the pages I am trying to protect. They won't be able to view those pages because those will have the include file but I would still like to hide validate.asp somehow. They won't see it during a normal login but if they guess the name of it they can see it directly.<BR><BR>What to do? Thanks.