It would be neat it perl's crypt() could decrypt things. But it can't (it's strength it that it's a one-way scheme...there is no way to read the plain-text, one can only compare two encrypted strings and thus know if the two underlying plaintexts were the same). Even public-key doesn't seem safe...the whole problem is that anyone who sniffs packets sees everything that gets sent, in whatever for it's sent. So even if the cgi script only looks at encrypted strings, it has no idea if that string of gibberish came from your JavaScripted page, or from someone who spied on the results of that page. Perhaps using one-time keys would work? Every time the page is sent, a random encryption key is generated and embedded in the JS. Then a hidden field is added with a serial number. The server stores the serial#:key pairs. When the page gets submitted, the script looks up the key, decrypts the submission, and then marks the serial# as 'used'. That way even if someone sat down at the exact same machine and resubmitted the exact same form that some moron forgot to clear from cache, it wouldn't work. dan Strider said: : : Write the crypt() routine in Javascript or Java, and have it submit an : encrypted password to be decrypted with perl's crypt() routine, or : : Use a DES routine (similarly constructed) and then use DES.pl to get the : password back out. -- Daniel Macks dmacks@a.chem.upenn.edu dmacks@netspace.org http://www.netspace.org/~dmacks ***** Want to unsubscribe from this list? ***** Send mail with body "unsubscribe" to mac-perl-request@iis.ee.ethz.ch