Using HTTP Auth solves this problem quite nicely. The user/password combination is sent with every browser request, so if it's not there you know it's not your original user. rado