Why not just store the username/a hash of the password in a cookie? The credential check would then be a comparison of the hash and a hashed entry in a database. This way, the password is never stored in plaintext.
Another method that I've seen involves a one time pad with sessions (stored on the server), so that no single side has sufficient information to determine the password. The only problem with this is that the password length would be revealed .
Slashdot Mirror
Why not just store the username/a hash of the password in a cookie?
3 /lib/CGI/Session.pm) might work.
The credential check would then be a comparison of the hash and a hashed entry in a database. This way, the password is never stored in plaintext.
Another method that I've seen involves a one time pad with sessions (stored on the server), so that no single side has sufficient information to determine the password. The only problem with this is that the password length would be revealed .
Of course, you could then just take advantage of sessions and store it on the server side. For Perl, CGI::Session (http://search.cpan.org/~markstos/CGI-Session-4.1
Ricky
Actually, if you use the file upload function, they perform no script checking at all (this is probably why they used a separate domain).