I've thought about this sort of problem before as well. One thing you could do is use Zope for handling permissions. Barring that, you could either create a hidden form variable or a cookie that is something like this: (MD5 Hash)+UserName+Permission+OtherVariable The MD5 hash would be computed based on: <secret password>+UserName+Permission+OtherVariable Then, when a request comes in, you can just recompute the MD5 hash and make sure that it matches the one the user sent. If they changed any of the information, the hash wouldn't match. (And the user can't just recompute the hash, because they don't have the secret password). Is this the kind of thing you're thinking of? The data *is* going to the user, but they can't modify it. Kevin On Thu, Jan 21, 1999 at 05:21:20PM -0000, Bernardo Lopes wrote: ,----- | | How can i define session properties or objects? What i whant to do is to be | able to define any object (say, client id in a web store) as a session | variable. The tricky thing is that i do not whant the content of this object | to go back and forth between the browser and the server. I do have to put it | in the server and access its contents in some session context. The client id | in my case is very important and represents a security flaw if i allow to be | altered during a browser session. This object is must be defined when the | client logs in the application. If i did allowed it, any user could for | example update or access some record in a SQL database that did not | concerned him. Just because this client id is indeed the identification | number of the user in my database model. | | `----- -- Kevin Dangoor UUnet Technologies kid@ans.net / 734-214-7349