Lillian, that's fair enough regarding sending people links. But nobody sent me one. I posted a link into the Poser forum. Some people who clicked that link to download the files I was offering left that information in my logs. It is my understanding that you cannot post in the forums unless you are logged in, to log in you must accept cookies. The people who responded to the link to freestuff I posted had to have been logged in to reply, six of these left session id and key info in my server logs just by clicking the link I posted. Others I presume were lurkers who clicked by visiting the thread without posting to it. That link took them directly to a freestuff page on my server. I don't understand how that can happen by your explanation of how it works. By rights that info should not have shown up in my logs. The users didn't visit my site and leave that information there in a link, the server log got it - presumably from their browser. Perhaps you're missing what I mean by server log. This is an activity logging facility that tells me what browser visited and what sections of the site were visited. That's all the information it gathers. Browser type/name/version and pages visited. That's just plain weird, but if my server running a browser track log managed to suck that info in without even trying, what about those sites who deliberately harvest user info? I don't believe that forcing people to enable cookies on this site will cure what I've seen. It may, perhaps, possibly cure the IM/Forum link problem that many have experienced, but that won't stop the information being transmitted to other servers. Please understand. Nobody sent me a link, I did not send anyone a link. A remote site server picked the data up by people clicking an externally referenced link. For instance. I post a link here to my site. People click that link to see what's at the end. By simply clicking that link and visiting my site some of them are leaving the session ID and Key recorded in my site usage log. ***But, the down-side is it would create another uproar that we changed something *** That unfortunately is always a risk, especially on a site like this where changes don't always make immediate sense or appear particularly useful. But what I'm trying to explain here I believe needs to be investigated fully and changed, regardless of the potential outcry because it's a security hole of fairly awesome proportions. I've not tried to use the information I found as I'm not that way inclined but if being logged in as somebody allows access to their accounts, merchant data, merchant forum etc, the implications are staggering.