Oleg Machulski wrote: <snipped Oleg pointing out security problems with cookie authentication> I agree Oleg, that cookies aren't really any better than plain old basic authentication on the client<->server side. However, I see I failed to mention in that note what my set up is - I figured since I'd been spamming the list with my problems, everyone knew about them ;-) I'm running Zope under Apache-SSL, so the front side communications are all encrypted. The leak out the backend to the Db was my only exposure. Of course, fixing how Zope sets cookies and deals with passwords doesn't do much good if the client still sends a cleartext password at first login - there needs to be some client side support for some form of encryption on the password before it get's sent to the server for the very first time. Unfortunately, nothing beyond Basic Auth. seems to be standard, except full blown SSL, encrypting thre entire traffic stream (and it does slow things down). I suppose a Java applet would work, or perhaps even some really clever javascript? Eventually, this turns into a Diffie-Hellman key exchange sort of thing, doesn't it? Ross -- Ross J. Reedstrom, Ph.D., <reedstrm@rice.edu> NSBRI Research Scientist/Programmer Computer and Information Technology Institute Rice University, 6100 S. Main St., Houston, TX 77005