Hackers can write bots to, for instance, hit an order page and submit false data over and over using a session for every hit. Eventually the system will run out of sessions. I'm thinking of using JSPs calling beans that use JDBC for the database interaction...how do I deal with the problem I just described? What is the common solution to the problem, or does no one worry about it? Thanks for any comments. =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". FAQs on JSP can be found at: http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.html