I'm trying to find a relatively secure way to do authentication for small projects using PHP on our servers. The best approach, as far as I can see, would be to use HTTP Digest Authentication, which allows encrypted authentication over regular HTTP connections (no need for SSL). This is supported in PHP, but unfortunately it only works if PHP is running as an Apache module; on our servers, PHP is running in CGI mode, so we can't use it.

So at the moment, I'm rather stuck. I've been able to use the PHP crypt() function to store only hashes of passwords, so that we're not, at least, storing text files with passwords in clear text on the network, but for the authentication process itself, we're still sending passwords in cleartext over http. We're going to set up a self-signed certificate on Lettuce, so that at least we can use SSL, but that will throw up some warnings in browsers because it'll be self-signed. Greg and I have talked about the possibility (and cost -- $229 per year) of getting a "proper" certificate for hcmc.uvic.ca, and putting in proxy URLs for all projects that need to use SSL for authentication. That might well be worth the money, at this point.