Stumbled upon this: http://www.mnot.net/drafts/draft-nottingham-http-poe-00.txt If you think of the unique POE-Links as a URL + token, this would have pretty much solved the CSRF issues - back in 2005. Too bad it wasn't picked up then. bye, Dirk -- http://www.haun-online.de/ http://geeklog.info/