Hi Marc! About the LoginCookieValidity - a question: Since I don'T use cookie auth, is it possible for users to set LoginCookieValidity off (say to 0) and then the en/decoding of the cookie is not always performed? If that's not yet the case, I'd suggest to do so, because I suppose some users may want to use cookies, don't have mcrypt but wouldn't need the CookieValidity Setting - so for them, the cookie shouldn't be en/decoded everytime. Regards, Garvin. (P.S., Marc: Your mail about the session stuff needs some more thinking from me, but I didn't ignore it :-) -- ++ Garvin Hicking | Web-Entwickler [PHP] | www.supergarv.de | ICQ 21392242 ++ Developer of | www.phpMyAdmin.net | www.s9y.org ++ Make me happy | http://wishes.garv.info