Having said that, though, and just out of interest, would it not be possible to write some perlscript that crypts the password client-side, before it's shipped across to the server? Purely a "on-the-fly" question .. not something I'd even thought about until just now.

-- Foxcub

You may find this interesting. The site contains javascript (yes I know javascript sucks people) implementations of MD5 and other hashing functions. Yahoo uses it for non-SSL logins.

-Lee

"To be civilized is to deny one's nature."

It still won't work because the password hash goes over the network in clear, so all I have to do is sniff the cookie and feed it back to you. I needn't decrypt it - I already know it's a valid password hash as long as the user doesn't change his password.

If you want the client to actively encrypt the data using some sort variable token not sent across the network, well, that's exactly what SSL does.

(Still, it would have been nice if HTTP natively had some sort for secure authentication like APOP's challenge-response mechanism. Alas, it doesn't (and can't - it's a stateless protocol).)

Makeshifts last the longest.

Perl requires a perl interpreter. Not to mention theres no easy way to hook perl into IE/MOZ/etc (to my knowledge).