I just read the heated topic in archive about keeping the username and password out of the address bar. I created and maintain eteleseries.com and my client - the owner - is very particular. This is a "virtual classroom" for paid (big $) teleconference series. The audio replays and documents need to be VERY secure from prying eyes and sharing. I set up the login directly on the main page of the site. No "ugly window." I coded the submit to open a new window which has no address or status bar: <form target="view" onSubmit="open('/amember/login.php','view','height=500,width=720,resizable=yes,toolbar=1,scrollbars=1,status=0')" action="/amember/login.php" method=post> This has worked excellent for the MAJORITY of users. Once the student is inside their area, the contents of their pages (htm, pdf, doc, etc) all stay in the window with no address bar. If I do need to open a new window that's within the protected area, I create parameters to suppress the address and status bars there too. The site is relatively young, but it's worked for us, and made the client (and her speakers) VERY happy with the level of security. Oh, by the way... the bad thing about this stuff showing in the address bar is that someone can copy the address, send it to someone, and they can then paste it in (or click it from an email) and gain access - bypassing the login. I **do** have to keep reminding my client that nothing is totally secure though. They could always just give their login info to someone to use. We had this happen, and this person also gave away the call in info to listen in on the live phone conferences. They were promptly expelled with no refund, as per the contract my client had students sign upon registration. The other students were told what happened, as the phone # and PIN number had to be changed for everyone. That seems to be the BEST deterrent to security leeches (uh, I mean breeches). Overall this seems to make everyone happy. Hope it helps around here. Lisa