i wanted to ask you how should i protect my scripts to prevent hacking to session's and cookies - and no, im not talking about the actual insert queries that requires addslashes and so on. In my cookies i usually just include my password (encrypted) and my UserID - check them with a simple mysql query. The sessions usually just approves that the user has logged in properly,therefore, has only one variable named ie "has_logged_in". are ther any common mistakes that is hould look over? another thing is, how should i use the session.id in order to check for approved login. thanks, ben.