The Apache server combining with MySQL and PHP has becoming a new platform, the LAMP for Web based applications. The platform level security had been dealt with by the security improvement of the OS, firewall and HTTP server. Yet the application level security problems seemed to be overlooked. In this paper an application level security mechanism using once-only URL is proposed. Also an Apache plug-in module to support this mechanism is developed and implemented.