Amy... Why not just have ASP take care of the password protection? Have the person log in, set a session object, then give the user the upload page. On posting of the file, look for the session object. If it's there - let the download complete, if not bail. You could put the username/password into the ASP code or "hide" it somewhere out side the web root. --- Anthony Baratta President Keyboard Jockeys "Conformity is the refuge of the unimaginative."