Curtis, Could you describe how often does the problem happen? How many session users goes to the site? You mentioned about a month of public usage. During that month, did you have one single incident? How many sessions happened during that month? All key-based session management systems are intrinsically unsafe, since other people can tap into your session, with non-zero probability, if the key-length is finite. The only hope is to make the key long enough, so even if the hacker has a supercomputer, it would still take him/her the age of the universe to crack into your website. One thing I mentioned to Pavlos (and/or Anthony Baxter?) before is that the key lengths of their cookies are a bit too short. For my HappySession product (another session management product, which is RAM based), I cranked up the key length to 128 alphanumeric char key, exactly because I wanted no key collision for a long long time. :) Another thing I observed during the development of HappySession was that on Linux (and Debian) server systems, I had problem with deleting the cookies of the clients. (No problem with NT server.) At the end, I chose not to delete cookies but instead setting their values to blank, when the session expires. It was a weird problem, I did not know why I couldn't delete client cookies (maybe it was a mistake on my part), but I chose the simple way out by setting the cookie to blank. And it worked fine. So instead of detecting the presence of the cookie alone, I detected the presence AND whether the cookie was blank. regards, Hung Jung _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com.