Thanks for the useful info so far. I agree about the basic Apache .htaccess and .htpasswd authentication - it would certainly be easy to implement.
The problem that I have is that the purpose of the web based app is allow the user to run reports from some network gear running on their WAN. This means that the app has to see the gear on the internal side of the customers' firewall and requires the passwords for this kit. I have to convince the network admins that there are minimal security implications in using my application over the internet.
The thoughts about SSL are good, and I am looking into it (also with Verisign), however I am concerned about the speed implications of SSL as I don't want to run into connection timeout problems.
Client side password encryption seems a good idea, particularly when used with something like the http://www.phpsecurepages.com app. I came across an excellent system at [url]http://www.polar-lights.com,[/url] however it is (quite rightly) designed to limit user access from known ip addresses and my users will need to access my app from various locations (different offices, home etc). I also cannot dictate the use of just IE browsers, although I can dictate that users have cookies and javascript enabled (as these are required to administer the networking gear directly). Quite a challenge!
Devarticles - yes I am interested!
Taking this a stage further - I am still trying to find out about the web server ip address transmission to the firewall. As my app sets up connections with the network gear through the firewall I understand that it is the web server, and not the client, ip address that the server sees. The app also runs reports from the equipments CGI bin via <img src = 123.123.123.123/?cgi> which, is from the clients browser - does the firewall still see the web server address for this transaction?
Thanks for your excellent help so far