Hello all, I'm developing a login system for some perl software running on apache. I'm wondering how people can authenticate users properly, when a certain amount of security is required, without having to use SSL on every page. The login system is implemented with an SSL login page which inserts something like the following into the .htaccess file of a users directory/control panel (the software provides the user with a control of information): #<%START SESSION: jJgo4BAEEUfBtt6AJKbr%> RewriteCond %{REMOTE_HOST} !^.*localhost.*$ [OR] RewriteCond %{HTTP_COOKIE} !^.*username=jJgo4BAEEUfBtt6AJKbr.*$ RewriteRule ^.*$ http://mysite/login?Message=Not+Authorized [R] #<%END SESSION: jJgo4BAEEUfBtt6AJKbr%> So anyone who doesn't have the hostname they logged in with, a cookie with the session ID in is redirected away back to the login page. I'm aware that ahacker with a packet sniffer could potentitally get the session ID and spoof the hostname and gain access to the control panel, but at least they couldnt gain access to password becuase of the SSL. It works grand, except that I forsee problems with people who have dynamic proxy hostnames (such as those poor fellows on AOL). It would surely redirect them to the login page every time the try to login. So i'm wondering how other people authenticate their users (without having to use SSL on every page)? What env variables can be used to make sure the user is who they say they are? I could just do away with the hostname and just authenticate using the cookie session ID, but it would be nice to have some extra protection. Any idea's? Cheers, Dave