The syntax I've used includes url= before the actual url.

<meta http-equiv="refresh" content="0; url=http://www.example.com/dir/page.html">

Also, meta refresh is user agent specific, and not part of a standard. Note this recommendation from the W3C:

Some user agents support the use of META to refresh the current page after
a specified number of seconds, with the option of replacing it by a different URI.
Authors should not use this technique to forward users to different pages, as this
makes the page inaccessible to some users. Instead, automatic page forwarding should
be done using server-side redirects.

W3C Reference [w3.org]

Hmmmm... Thanks for the info. The reason I'm doing this is because I'm trying to hide the URL of a "secure" page that really isn't all that secure. I guess that's security by obfuscation? I can't put the page in question in a password protected directory so I made up that little redirect page and put the redirect page in a secure directory. The user has to log in to get to the secure redirect page which then redirects back to the final destination.

Concerning redirects in the apache conf file... if the original URL is in a password protected directory but the redirect is not, will apache require authentication?

By the way tedster, adding the "url=" fixed it. Still, I think I'd better find a better way to do this.

Thanks...