I don't think this is the case, the session information is stored server side, not client side if you have the settings like I mentioned in post #6. If you put the access rule on the page to only allow logged in user's it would prevent this from occurring regardless. If for any reason the USER_ID session variable were not present the rule would not allow them to insert a record.