Hi gang, Was just thinking of a cheap solution for sites that don't require absolute security. A SSL cert cost about $150 a year. Sites like facebook could use this... Of course it's not for banks etc. You could degrade gracefully when javascript is turned off to just sending the form and checking the password normally if the first test fails which would happen anyway wouldnt it? ... Mainly this was just ment to be a proof of concept. An alternative to SSL for those who have more time than $$ and not quite so high a security requirement. Of course SSL is better! Duh! Just wanted to give you guys something to think about. The password would not be given away like this would it? It just makes it a little more difficult for script kiddies. They would have to have a keylogger running or steal the session. :P Regards, Tim Tim-Hinnerk Heuer http://www.ihostnz.com Mike Ditka - "If God had wanted man to play soccer, he wouldn't have given us arms." 2009/2/15 Michael A. Peters <mpeters@xxxxxxx> > Dotan Cohen wrote: > > >> Have you seen the fit Firefox 3 makes for self-signed certs? So far as >> the end user is concerned, the site is inaccesible. >> >> > Yes I have. > That's why on my site I have an instruction page - and a demonstration of > how Opera does it, which is just as secure and less of a PITA, and a > suggestion that users go ahead and try Opera - something I never did before > FF messed up the self signed SSL process. > > The FF3 really bugged me - > > 1) The purpose of SSL is to provide public/private key encryption. > 2) The purpose of signing is so that they know you are really you on future > visits. > 3) The purpose of certificate authorities is so that they know you are you > on the first visit. > > Many web sites benefit from the first two without needing the complexity of > the third, a concept FireFox seems to have lost. > > I don't need the paperwork hassle etc. for the few sites I run - I just > need a way for a user to authenticate so I can give 'em a session cookie, no > sensitive data is ever collected. Ah well. > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > >