About your question about the hidden variables: They can be changed. If a user goes into their cache in IE they can actually change the page and go "back" to it. Then they can submit it with any info they want. A very good replacement for this is to use session variables. This stores the information on the server (away from the user) for the scripts.

If you don't want to do this I suggest when someone logs on to the website have it generate a key and use that in the hidden feild. Log this key into the DB then use that for authentication. Also add a Timestamp into the DB to allow for login timeouts.

--BigJoe

Learn patience, you must.
Young PerlMonk, craves Not these things.
Use the source Luke.