> [snip] > ... (at which point the > referrer would be checked to make sure the redirect came from the login > app and not untrusted source). to hack your page I would just set the referrer header field before calling the url and I would be an undetected "untrusted" source. Therefore this test doesn't bring any additional security. Marc.