On Mon, October 23, 2006 2:41 am, Dotan Cohen wrote: > On 23/10/06, David Tulloh <david@xxxxxxxxxxxx> wrote: >> Breaking this down you have a hardcoded password. >> In the script you store a hash of the password rather than the >> actual >> password. > > Yes, no choice but to have the password in the file. I can't include() > anything, and no mysql. So, only hashed would I dare keep it. Can't you just use $_SESSION ? Or is that also out? Once the user is authenticated, $_SESSION['username'] = $username; and you're done. No passing passwords, hashed or not, back and forth. Somebody can still hijack the session, but you gain nothing by exposing the password or the hash of the password in that regard. If they are about to do something particularly sensitive, force them to re-authenticate with the password. And in your code, you only then need the HASH of the password, not the password itself. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
