Not really a specific question as such, but I wanted to see if anyone had any thoughts regarding the security of sessions when implemented by URL rewriting. Usually sessions are supported using Cookies in the HTTP header, and they are secure when you move to HTTPS since this header info is encrypted. If URL rewriting is implemented in HTTP, the session information will now be written to the weblog with both GET and POST requests. As far as I can see, this will remain the same when moving to HTTPS: That is, URL rewriting will cause the session information to be written to logs. While this may not be seen as a massive security breach, I'm not sure the clients would appreciate it. (or is there something related to HTTPS that I'm missing that will save us?) Dave.