I've created a demo version of one of our webportals, for use in showing the system to clients. I found that when they were both listed under the same website, there was an issue with the session variables transferring between the two. This obviously raised concerns about security, since we're using userID and securitylevel variables to control access. It could feasibly mean that they could log into the demo site with supplied credentials, then switch over to the live site, and get in automatically, sicne it would see the appropriate security level. In an effort to stop that, I moved the demo site off the default website, and created a new website on the Server in IIS, mapping it to port 82. However, one of our clients is unable to access this, because their configurations are locking that port down. I need a way I can set this up so that its accessible, but neutralise the session variable issue. Anyone got any suggestions (Without changing the session variable names - that would require too much work to set up and maintain as a copy from the live site)?