Peter Gutmann wrote: > > Can anyone who knows Javascript better than I do figure out what the mess of > script on those pages is doing? It looks like it's taking the username and > password and posting it to an HTTPS URL, but it's rather spaghetti-ish code so > it's a bit hard to follow what's going where. >
Why have the log on your homepage at all? Why not just a link to the https login??? If the goal is to not have SSL overhead on the homepage, don't. Or is there some extra overhead for login processing that I don't know about? Is there some user dissatisfaction with an extra click to login? I suppose if you really wanted non-SSL logins, you could use a one-time passcodes system with variable length passcodes to prevent race attacks. -- Nick Owen WiKID Systems, Inc. 404.962.8983 (desk) 404.542.9453 (cell) http://www.wikidsystems.com At last, two-factor authentication, without the hassle factor --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
