>Correction
>
>Working on an organizational web site. Certain pages that require login, which I include this line at the top of the page
>
>#INCLUDE file="security.asp"
>
>the ‘security.asp’ page checks to see if the CusKey (customer account) session variable is set or not. If not displays the login screen or it continues on with the original page.
>
>It works great unless you pass a parameter the page like: events.asp?staff=1
>Events.asp has the #INCLUDE file="security.asp"
>
>At that point the request.querystring does not see the ?staff=1
>
>session("staffkey")=request.querystring("staff")
>
>How can I capture the parameter ?staff=1

The syntax seems to be ok. The problem that I see with your approach is that it will be too easy to bypass your login screen by typing this request on the address line.