I read the article you referred to. The article was trying to deter programmers from storing recordsets in application and session variables. Thanks to feedback from other list members, I know a little more about some of the bad habits session variables and response.redirects can let you fall into. Here's my refined logic so far (with most of the response.redirects and session variables removed): On every page, there a string is generated like this: <% Dim strCurrentPage,strCurrentQueryString strCurrentPage = "ReferringPage=" & _ Request.ServerVariables("SCRIPT_NAME") strCurrentQueryString = Request.ServerVariables("QUERY_STRING") If strCurrentQueryString <> "" Then strCurrentPage = strCurrentPage & "&" & strCurrentQueryString End If %> This gets passed to the login script like this: <a href="login.asp?<%=strCurrentPage%>">Login</a><br> So when a user clicks on that link and goes to the login page, the login page is fed with a querystring. This querystring is immediately stored in a variable that gets used later. Before I spoke with thelist, I had separated the login.asp page and the authentication.asp page -- as I had seen in a book that I just bought. Now, everything is handled on the login.asp page. There are no more response.redirects back and forth, and there are no more session variables that carry errors or strCurrentPage. I've basically cut it down to this: <% Session.Contents("UserName") = strUserName Session.Contents("Password") = strPassword Response.Redirect(strReferringPage) %> So there are two session variables, containing small strings. These are be the only two session variables that will be used throughout the site. Everything else is handled with querystrings, and method="post". If I have time, I will design the sections of the site that require a login to still be functional without cookies -- they will just need to login every time they access a protected page. I am not going to store the username or password in a querystring and pass it around the site. It's not secure, and it's a real headache to code. I think I'll be returning the book to the store. I've found the online resources to be much more useful. Cheers, Beau > Is there a reason why you used Querystrings instead of Form. > (i.e. POST instead of GET?)? > > That way, you don't have to deal with the tremendous overhead > of sessions. > > See this article: > Databases and Sessions.... Just Say No! > http://www.learnasp.com/learn/nodbsession.asp > > HTH, > > Don > Makoviney > MAKOVISION.com - Handpicked News For Internet Developers http://www.makovision.com/ FREE Usability/WebDev Newsletter - Twice Weekly http://www.makovision.com/subs/ --------------------------------------- For unsubscribe and other options, including the Tip Harvester and archive of TheList go to: http://lists.evolt.org Workers of the Web, evolt !