I use a DB table to manage my users, I do not have to worry about locking it down to one user, however one thought is to track the user into a temporary DB, if the user name is there and the sessionID does NOT match the one in the DB, then the user is not granted permission to access the programs. If they have logged out, then the logout page will go in and delete the user from the DB field. As each page is loaded it checks the DB against the user's cached data. If there is an issue, the DB is treated as correct and the user is dropped. Once that happens a few times to someone logged into a "critical" app and they lose data (it should check the data before storing information) then that will essentially for the users to have their own user/pw combo.
HTH, Robert -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php