After replying to a .htaccess thread I read another reply which suggested they user $REMOTE_USER. I read the HTTP Authentication section and found "In order to prevent someone from writing a script which reveals the password for a page that was authenticated through a traditional external mechanism, the PHP_AUTH variables will not be set if external authentication is enabled for that particular page. In this case, the $REMOTE_USER variable can be used to identify the externally-authenticated user." However, I have user $PHP_AUTH_USER in conjunction with .htaccess many times with no problems. If that does not count as an external mechanism, what does? Thanks Sheridan