$quoted_author = "Craig Sanders" ; > > it may still have a valid session cookie or similar. But surely when a password is invalidated and/or changed you should also invalidate all existing session cookies? Or is that asking too much of the "geniuses" in charge of security? cheers Marty