Secure(er) login using MD5 in JavaScript

Anon

I've noticed people have started using MD5 in JavaScript so the password isn't sent in plaintext... Good idea!

Well, I was trying to come up with a way to send a random number out, which the JS includes when MD5ing, so people can't write scripts that keep posting MD5s trying to get in, however I don't know how I could have the server remember the random number for each visitor without relying on something coming back from the form (cos that could easily be fudged!)

Any ideas? I thought about cookies/sessions, but again, that relies on the random value coming back from the client...

hal9000

You can set a cookie (or something comming back from the user) as an ID. Then used that ID to load a file with the random number, or use as an seed in your random routin.

Anon

I've actyally sorted it now thanks. I generate a random number and send it out with the javascript, and this is hashed with the password. After submitting the form, the random variable is then taken from a php session (if I took it from whatever came back from the form, it can be tampered with) and then hash it with the password and see if the hashes match.

Danny