I'm wondering if there is a filter available that can check if a session parameters was created from the same IP as the incoming request? I'm trying to address the emailing of URLs by my users, and having them dropped into a running session. Would using SSL be a better solution? Wondering what others are doing to prevent this. -- ~JT