On 24/10/06, Richard Lynch <ceo@xxxxxxxxx> wrote:
Can't you just use $_SESSION ? Or is that also out? Once the user is authenticated, $_SESSION['username'] = $username; and you're done. No passing passwords, hashed or not, back and forth. Somebody can still hijack the session, but you gain nothing by exposing the password or the hash of the password in that regard. If they are about to do something particularly sensitive, force them to re-authenticate with the password. And in your code, you only then need the HASH of the password, not the password itself.
I'm not sure if I can use sesssions. The code needs to be as portable as possible: that means that he will be moving it from server to server very often. If I knew that 100% of the world's servers had sessions support, I might go that way. Dotan Cohen http://fedorafaqs.org http://what-is-what.com/what_is/ubuntu.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
