I have found this article on the web: http://pdos.lcs.mit.edu/cookies/pubs/webauth:tr.pdf And: http://www.acros.si/papers/session_fixation.pdf Among the other things, the second article claims (if I'm not wrong) that url based sessions are not more secure that cookies. The first article explain the importance of not to leak the user's passwords (so I need to login on SSL, this makes the default implementation of guard not usable). Regards Manlio Perillo