It's because the site uses persistent cookies for the session. If someone sends a link with their session ID in it, you log in and you're them. The solution is for the person to be very sure they don't have their session ID included in the link, but also if they log out, you won't be able to log in as them. Personally, I think this is really sloppy coding, and I know for sure that there are better ways to handle sessions and cookies, but I'll let other people argue about it. I mostly wanted to pass on the information about how to work around it. bonni

"When a man gives his opinion, he's a man. When a woman gives her opinion, she's a bitch." - Bette Davis