- The username and password are stored as cookies through the browser. If
- the cookies don't exist (or have expired), a login screen is displayed.
After initial authentication, why do you need the password passed back in
the cookie environment? It offers another opportunity for sniffing.
An alternative authentication method is HTTP basic authentication. Username
and password are handled in separate transactions between the server and the
client; your php application gets the username from the environment, and the
password is never available to the application environment. Using it with
SSL makes the password unsniffable. It does make it harder to timeout a
login, either with or without SSL.
--
Better to rule in Hell than to serve in Heaven.
===============================================
Robert Goff robert@stripped
Technical Writer/Editor, Webmaster 505-564-8959
