Hmm… thought in my head.
$Server_Pass_Hash // Server has a hash of the users password, retrieved from a database.
var $Date = now(); // Current date as of the moment now()
Server sends the $Date to the client browser.
Client types in the password in an <input type=”password”> box. $Client_Password.
use a JS function called Hash(value) to generate a hash.
$temp = Hash($Client_Password);
$Client_Hashed_password = Hash($temp + $Date);
Send both back to server.
Sever checks to see if the $Date is less than 2 minutes old (or whatever). If bad, redo, else…
$chk = Hash ($Server_Password_Hash + $Date);
if ($chk == $Client_Hashed_password)
//then allow into the system, via a session ID.
After typing the above, it scares me a little to know that I can have a coherant thought like that. The flow works.