I have a web app used by a small number of people (internal only) and am using a randomised sessionID that is stored under the user record and placed in various links. I have had a problem where users are sending links to each other which is allowing them to hijack the sender's session. What are some ways of preventing this from happening while still letting users send links to one another? Edit: The session ID in the link (which also contains $username) is just compared to what is stored in the User table. &incorrectLogin just prints an error followed by die; if ($sid) { $sth = $dbh->prepare("SELECT * FROM tbl_User WHERE UserID = '$username'"); $sth->execute(); $ref = $sth->fetchrow_hashref(); $session_chk = $ref->{'usr_sessionID'}; unless ($sid eq $session_chk) {&incorrectLogin;} } The problem is that if someone uses a link that is created by someone else, the page will load as them. I am not using cookies, and I recall being told in the past that CGI perl cookie handling is quite poor.