I was recently reading the article "Password Protecting Your Site" By Rob Taylor on the 4guysfromrolla.com website. I have not tried it and forgive me if I am completely incorrect but there seems to be a problem. In order to restrict access to this system simply checks to see if the Session("id") variable is set (i.e. not empty). If the password is not set it redirects you to a logon page. Then looking at the password.asp page (the page that validates the password) it appears the Session("id") variable is set regardless of weather or not the password and username is valid. Am I missing something?<BR><BR>Jayson M. Harshbarger - Hypercubed<BR>jmh@hypercubed.com