Hi. Im concidering changing serversides session-authorization to a purely cookie based one. Eg when the user succcesfully signed in I will drop a cookie on his machine and from then on all I look for is that cookie when he hits any of the pages to grant him access. I would thus take out the auth directory on the server and also the sessionID from the URL. So far, I guess the cookie must at least include user ID and IP. Have anyone had any experience in doing this? What should I concider to make it as secure as possible? Many thanks! E