You don't need to bother with HTTPS or encryption if you use a challenge-response methodology. For that simple Hashing will do (AS3 corelib has a SHA256 implementation among others). Servers sends random text challenge to client. Client responds back with hashed combo of random text and the password, along with username. Server confirms both know the same thing by comparing hashes without ever sending the password over the wire. Pretty simple to implement. Also depending on the application server you may not need to bother with generating a session token and storing/passing it. For example with ASP.NET all HTTPService and RemoteObject calls are within the context of a user session so on the server side we can use the built-in Session support with no custom coding. Sam
------------------------------------------- We're Hiring! Seeking a passionate developer to join our team building Flex based products. Position is in the Washington D.C. metro area. If interested contact [EMAIL PROTECTED]
