It's p[retty simple, there are a few options, when you login; 1.) the script creates a $_SESSION value that will be checked every page the user requests. if the $_SESSION value isn't found, the page will not be opened. (the user will be redirected.) A session can either result in a cookie or some header code. 2.) The script inserts a value to the databse, and uses the url, some hidden value or a cookie to let the user pass the value back to the script. If the value for that ip matches the value from the database, it passes the validation. Some problems occur when more then one user logsin from the same ip. Solutions are there, just an example. *) lots of other options. just make sure login pages are going trough ssl and you're safe to go. GL