What does this do?

This script uses the SHA-256 Algorithm, implemented client-side by javascript and server-side by php, along with XmlHttpRequest functionality to create and send a password between the client and the server in a secure manner, even across unencrypted links.

How does it do this?

The XmlHttpRequest functions retrieve from the server a time value and randomly generated password salt. These values are both added onto the password string you enter, and the result is double SHA-256 encrypted in javascript, whereupon the result, the time, and the salt value are submitted to the server.

Whats the point?

The point is, your password is not sent over the link in clear text. the server is as able to use the encrypted result of your submission, the random salt value, and the time value to authenticate your password, without without the server having to ever know your original password. Additionally, once you are logged in, the server should be told to only allow login attempts from the same network address you have connected from, until you have logged out or your login session expires, thus preventing session hijacking.

Each time you wish to log in, the random salt and time values used are unique, and so if somebody were able to monitor your network traffic on your same network, and try to log in using the same data you just submitted to the login script, they would be denied, as the value accepted in order to log in would always be unique. The request time would be required to be within 10 seconds of the current time, and trying to log into the same account again within 10 seconds would be disallowed. if someone on your network is able to see the data you send to my server, copy it, and send it to try and also be logged in, this would fail as a result.

This project is ready for database implementation, however, the rest of my site is not ready to use this functionality at this point in time.