On Wed, Oct 25, 2006 at 03:49:54PM +0200, Willy-Bas Loos wrote: > So as a temporary compromise, we decided to store the username and password > in a cookie on the client PC, which is of course a serious weakness. > > Can anyone give me some advise on how to do this a better way, without > consuming too much time, or is this the best thing to do in such a > situation? The usual workaround I'm familiar with is to set a hash of some sort that is the user, password, and some salt. Then you authenticate against that hash in your application, so that you never actually send these values, nor store them anywhere except the database. A -- Andrew Sullivan | ajs@xxxxxxxxxxxxxxx "The year's penultimate month" is not in truth a good way of saying November. --H.W. Fowler