Sorry, maybe i wasn't clear enough im my meaning, i am not using the url itself as security.
Access to the url, i'm not bothered about, - using the url variable is only giving me a value so i can set some conditions to tell the page which sections to load.
eg load a login form on a login page
I am doing this as the page is based on a PowerCMS template
The access rule is initiated only if the page has a string in the url, as i only want to invoke the access rule on specific 'pages'
so for example, the secure page is part of the general page template.
only if this 'page' is loaded, the access rule is initiated.
The access rule uses the same login security as power cms, and limits access to members with an entry in the users table
(I have further secured PowerCMS so this is now only available to Super Admin, - as is in-line editing, by changing the rules in WA_CMS.php)
Does that make more sense, or is this scenario still insecure ?