Please read the post I put above this one

Thank you for your help. Yes I am already using SSL encryption but that doesn't stop someone from getting into the page and trying passwords and yes I will block IP adresses after 3 unsucessful tries at a password

To clarify my original posting (since my friend Ryan just informed me to use html tags in my positings this should read better) I am NEVER sending the secret code as plain text. The secret code is SHA1 hashed with the randomly generated number received from the server. So even if the session id is found by a packet sniffer then it wouldn't do any good since it is only for this session (the session would be linked to the client's ip address in addition)

Anyway the only security purpose this really servers is to indentify the remote user's computer.

In simplest terms, if you are the client and I am the server, it is like are you who you say you are? And if so hash this random number with the secret code and send me the result

Then I will do the same with what I know to be the secret code and with the random string I just generated and if our two hashes match I will let you access this part of my site

If you want more implentation details of the javascript see this page

If you were curious as well I am using mod_perl with CGI::Session using /IP-match/ on (I prefer CGI session to Apache::Session, although both are good, I just have more experience with CGI::Session)