Yes, Ben, I thought about your lighter solution. But what I am worried about, is that people may discover what that object is (if it is static, such as user name), and insert it manually into there browser, thus passing the security constraint of being "not null." Is this a problem? Or am I being paranoid?