>2 questions/points: >* You're assuming here that there's no way to fake the session, I presume? >* How do propose to share this "random number" without Eve the >Eavesdropper finding it out? > >Given that either the session or the "random" number can be maintained >secret (and you only use the secret one), this is a viable solution. >Keeping these two elements secret is another matter.
The point is, you can't keep the sessionId/randomNumber secret and you also don't NEED to keep it secret! In other words, it doesn't help the attacker to know the random number or session Id. What really needs to be kept secret is the password, which will never be sent over the net in plaintext! The point is, the server determines the random number/sessionId, and if the hacker sends the same hash that the original user sent, it won't work, because the server will then be expecting a different sessionId/randomNr. Roland -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
