This may be too simple for the advanced board, but hey, I&#039;ll learn more here...<BR>I&#039;m moving away from using session variables (which are great) but i&#039;m not yet ready for ASP.NET (too much new syntax to learn.) So...<BR><BR>I&#039;m going to create my next application with a work-around. I&#039;ll assign a GUID at login. That GUID will get put in a GUID field in the users table and in a cookie on the users machine. Another field in the users table will log the time of GUID assignment. At every page that has a need for session variables, I&#039;ll do a call (maybe a stored procedure) to the db and get any user information I need (privilege, customizations) and update the assignment time. Every 20 minutes or so, (like when my cached variables renew) the app will delete all the GUIDs from my clients table that are more than 20 minutes old, meaning the user hasn&#039;t been to a new page for more than 20 minutes. Pages with significant content could have automated refreshes to keep users logged in (maybe that&#039;s a security problem though). <BR><BR>What&#039;s my question? Is this the standard way of doing this? Do I get it? I&#039;ll put an include file with the db call on every page where I need the session state checked. It doesn&#039;t really seem that difficult. BUT, it requires a db call on every page load - doesn&#039;t seem very efficient, but what&#039;s the alternative? <BR><BR>OK, if you said querystring is the alternative, then what&#039;s the negative of querystring? Why use cookies at all? Can it be done entirely with the GUID passed in the querystring? And should it?<BR><BR>Also, the cookie contains only a GUID and doesn&#039;t persist. This answers all the anti-cookie privacy concerns, no?<BR><BR>Like, this: <BR><BR>page_onload<BR> get GUID from cookie<BR> get parameters from DB based on GUID<BR> customization<BR> get values to implement in dynamic css<BR> privilege<BR> ?not high enough send to login<BR> UPDATE clients SET GUIDtime=NOW()<BR> stuff<BR><BR>A note (if you read this far), the "scalable alternative to session variables" here on 4GuysFromRolla was useful, but appeared to rely on IP address to identify users (maybe I mis-read the code). Isn&#039;t that really silly? That means that two clients with the same IP (like me and my wife - we share a cable modem - or EVERYONE at my office - we share a T1) will have access to the same session, kind of defeats the U in GUID. - very very bad for security and not really usable for production applications. Again, what am I missing?<BR><BR>Note, feel free to explain stuff like I was 4 years old cause that&#039;s about how smart I am.