> I have a client that would like to login to a secure application from 
t> heir websites home page.  I'm looking for suggestions on how save the 
u> sername and password in a non secure environment and then passing that 
d> ata securely to a secure environment.  This must be done without 
p> rompting the user with the standard ie message about secure and non 
s> ecure content.

> Any thoughts???

First off, storing credentials in a non-secure environment is madness. 
Make sure your client understands this.

Second, don't go any further. You're not going to get a secure 
environment if you leave the dorrs open.

If you must (an if that's what the client wants then you must), then I'd 
go for a server-base security thing, with authentication being done by 
the server based on data passed by the browser so the user doesn't even 
know it's being passed.

Would it be OK to have the user complete some on-line form at the first 
visit? Even just a single entry for them to identify themselves would do.

The request that comes in will have this user identifier (the only peice 
collected from the user and only once ever, ever.) and details such as 
the browser (HTPP_USER_AGENT), cient IP address, etc.

I'd use this to generate a unique code and store it in a cookie on the 
client.

The next time the user visits his browser will send the cookie along with 
the HTTP data, so you can perform some level of verification - if the 
request is from a different address, browser, etc., then throw him off or 
ask for credentials.

Of course this is easy to hack, but if the client wants easy entry for 
proper users, he gets easy entry for hackers too. If its hard for hackers 
it's going to be slightly inconvenient for proper users.

That trade-off will always be there.

Brian Lowe
---------@