I noticed with Gmail that if I am offline for an extended period of time, it will ask me for my password again. I can understand the security benefit from this (suppose you lost your laptop), but I don't understand how to do it in my application.
When online, I hash the password and compare this to the hashed password in my database. The hash is a secret, so I don't want to transfer this to the client. I also don't want to store the password on the client in plain text. And regardless of whatever mechanism I choose to use, it is quite easy to get around this by modifying the local javascript, or by looking at the unencrypted database file on the local computer. So is it really necessary to authenticate the user while offline? How does Gmail do it?
