Even using Cookie mode authentication with the LoginManager product, the user/password data is merely base64 encoded (not encrypted). Someday I like to get a challenge/response authentication going, where the server sends a one-time challenge value and the client/browser uses MD5 (via javascript) to hash the user's password combined with that one-time code. This works great in PHPlib. But I don't understand the architecture of LoginManager well enough yet to hack it. Someone pointed out that the ArsDigita Community System (for AOLserver ("openNSD"!)) also has a well-thought-out user authentication system that might serve as a good model for extending LoginManager. On Thu, Feb 08, 2001 at 09:01:51PM +0300, Oleg Broytmann wrote:
It depends on whether you use HTTP or HTTPS. On HTTP passwords go absoluteley unencripted.
-- Fred Yankowski fred@OntoSys.com tel: +1.630.879.1312 Principal Consultant www.OntoSys.com fax: +1.630.879.1370 OntoSys, Inc 38W242 Deerpath Rd, Batavia, IL 60510, USA