hey out there... I tinkered a bit over my previous questions and came up with a partial solution... Just to recap: I wanted login and session data go over HTTPS. And, to prevent snoopers from taking over of the session, the session should be invalidated when switching over to HTTP. Preconditions: I have configured in apache both https and http virtual hosts to use the same DocumentRoot and put dokuwiki in there. That means http://host/dokuwiki/bla refers to exactly the same content as https://host/dokuwiki/bla To get login and session data to HTTPS, the following has to be appended to the .htaccess of dokuwiki: #HTTPS for login in dokuwiki RewriteCond %{HTTPS} off RewriteCond %{THE_REQUEST} do\=(login|logout|register|resendpwd|admin) RewriteRule (.*) https://yourhost.tld/path/to/dokuwiki/$1 [R] It is crucial that the .htaccess with the above lines is in the same directory as doku.php, else the RewriteRule does not do what you want and you'll have to rewrite it ;) To log the user out as soon as one HTTP request in the session is made, I added a small code block in inc/actions.php, at the beginning of act_dispatch(), after the declaration of global variables: if( $conf['logout_on_http'] === true && $_SERVER['HTTPS'] !== "on" ) { act_auth('logout'); } Okay, now I'll look into making the wiki source code readable only for registered users. cya Dave KLiczbor -- DokuWiki mailing list - more info at http://wiki.splitbrain.org/wiki:mailinglist