Well, to retrieve a hashed password:

email the user a new password and then they use that password to login and
make a new one.

But yes, for total security, it starts by having SSL setup on webserver.

Adam Lang
Systems Engineer
Rutgers Casualty Insurance Company
http://www.rutgersinsurance.com
----- Original Message -----
From: "Nikolai Devereaux" <yomama@U...>
To: "professional php" <pro_php@p...>
Sent: Wednesday, February 13, 2002 12:34 PM
Subject: [pro_php] Re: Page Protection


>
> also -- a lot of people use apache's AuthUserFile directive to password
> protect a site.
>
> This doesn't keep anything all that secure, since it sends a client's
> browser will send the username and password in plain text across with
every
> request to the server.
>
> The most secure thing I can think of is requiring a secure connection to
> your login page, using a form to submit login info, storing the login info
> in your own user database.  Also, store a hash of the password instead of
> the actual password, and compare the hashes for equality.  (the only
> drawback is that if a user forgets their password, they can change it, but
> not retrieve it.  you don't ever store their password in your database,
just
> the hash of it.)
>
> Nik
>
> > What do you mean by protect a page? You have to login to view it?
> >
> > You can either user http headers to authenticate (that common web
> > pop up box
> > that asks for user name, login and displays something about realm) or
you
> > can "roll your own".  You can make it where someone has to go to a login
> > page first, which is merely a form, and then it forwards them to the
page
> > they want.  You check the username and password and if they are good,
you
> > display the page, if not, you exit out of the script.
> >
> > The varied approach is what you authenticate against, and that is based
a
> > lot on what platform you are running.
> >
> > > Does anyone know how many ways can we protect page with username and
> > > password?
> > > And which method is the best and secure?
>
>
>