rory, so you're suggesting that we delete cookies when a request is made to m.e.o.? so we blast away the user's session state for other *.e.o. sites simply because they visit m.e.o.? seems problematic to me. fwiw, there isn't any redirects taking place on m.e.o. if i put an application.cfm in my public_html folder then it will run and not the one in the directory up. what's to keep me from using all .html files and reading the cookies with javascript? thanks, .jeff http://evolt.org/ jeff at members.evolt.org http://members.evolt.org/jeff/