Make your users log in, and when they do login successfully, set a variable that will tell your applications that the user logged in successfully, *AND* put that variable in a *session* variable - don't pass the variable around with GET and POST requests. Session variables are kept on the webserver - they are NOT exposed to the user. Each script should check the session variable - if it's not set, redirect the user to the login screen. HTH.