Just to clear this up: Sending form data to a secure page from *any* page: 1. Client initiates HTTP connection on port 443 (or whatever is defined for SSL over HTTP) 2. Server responds, and the encryption level is negotiated. Server sends client certificate to client. 3. Client uses the certificate to encrypt the REQUEST, and this is then sent to server. 4. Server uses certificate to decrypt the REQUEST, and process. 5. Server encrypts RESPONSE, and sends to client. 6. Client decrypts RESPONSE, and displays. 7. Connection is closed. Forget querystrings and stateful connections. There is no querystring, no form data, nothing, until *after* an HTTP connection has been successfully negotiated and encryption is in place. SSL means Secure Socket Layer. This means that it's the transport layer that is encrypted, and this covers all communication backwards and forwards after the connection has been negotiated. Sensitive data cannot be sent as clear text in this manner. However, there is a possibility that it's not the webserver that you're communicating, and there could be a proxy in front of the webserver that is handling secure requests. This would be fairly bad, but I have seen it done. In such a case, if you sent form data on the querystring, the proxy server might log the querystring after decrypting it, totally negating the point of encrypting data. So, always make sure that you use POST as the method in your forms, just in case some incompetent fools somewhere (like, say at an ex-employer) decided that such a thing might be a good idea. Oh, as for the length of the querystring: there doesn't seem to be a limit, though some servers and some clients do impose limits. (Netscape Enterprise Server 4 has a limit of 4KiB, but NS4.5 browser seems to choke on 1KiB.) Another good reason to use POST. - seb.