I see you set the domain cookie 'token' to the session ID. The app will accept the cookie value and recover the session in the absence of the PHPSESSID cookie. However, once the server drops the session, then the user always has to log in again - which I find frustrating - mainly because I'm lazy :-) I'm sure you know this, but it would be great if you hashed the username with a secret salt value to produce a token that would be secure enough to re-authenticate a visitor who's PHP session has expired - thus negating the need for me to squint at my iphone every time i need to log back in again ;-) Nice app though - we love it. Steve Sant p.s. I work at krystal.co.uk - I see the site is hosted on a Windows machine - we specialise in open source, so if you ever need linux hosting/dedicated/colo I'd be more than happy to help :)