function Show_Content()
{
session_start();
print "<html>
<head><title>Guestbook Administration </title></head>
 <frameset cols='185, *' frameborder='no' border='0' framespacing='0'>
 <frame name='menu' noresize scrolling='auto' src='?CODE=02&act=menu'>
 <frame name='body' noresize scrolling='auto' src='?CODE=02&act=$index>
 </frameset>
 </html>";
}
function Show_Pages()
{
global $act, $CODE;
session_start();
$choice = array
(
 "idx" => "idx",
 "menu" => "menu"
);
if ($choice[$_GET['act']] == 'idx' ¦¦ $_GET['act'] == 'index')
{
Display_Content();
}
else if ($choice[$_GET['act']] == "menu")
{
Admin_Menu();
}
else
{
print "why the heck is this here?";
Do_Login();
}
}

OK, Before i ask the questions, let me just say this. Display_Content(), Admin_Menu() have just 2 lines

session_start();
and print statement(for now).

As you can see, Show_Content() is called once the login has passed, the Show_Content() calls a framed page. Since i dont want to load pages as such (i want to load functions in the frames) I use the?CODE=02&act=menu/index

At the top of the script is a switch statement which basically calls Show_Pages() when it reads 02 from the URL. Using the 2nd query, the right function is shown.

All this works so far. Except for a hitch. Even though i dont login, i can directly access the URLs ...CODE=02&act=menu

Obviously this is not right. How do i make sure that the URL can't be accessed unless the session is active? I'm not using cookies and its kinda getting confused. How do i verify EACH time the user clicks on the link that he is who he says he is?

I've not posted the login code because i don want to confuse anyone. But If you think it'd help i'll post it.

Thanks