I like the security that enabling CHECK_SESSION_ADDR affords, but there are some users where this will not work. (i.e. AOL ppl whose IP changes mid session). Is there a way to selectively disable this for a given session? Maybe the better option would be to move the check to the rest of the session handling code, where it could be run when enabled for that session. Any ideas on how to do this? Has anyone else come up with a good way to keep sessions secure short of expiring them after a certain time? Kind Regards, -Charles Quixote powered Independent Online Music Distribution: http://www.subcircuit.com