Allow if: $_SESSION['SecurityAssist_UserID'] = ''
That will allow users to pass if the session variable isn't defined. I think that line in the rule is supposes to be use "Restrict" instead of "Allow".
Thanks for replying but that rule is restricted not allowed on the server? i just checked it is restricted?