"Sergei Chernev" <ser(at)nsu(dot)ru> writes:
>But if I want to create subform, I have to know username/password again.
>Now, I'm solving this problem transmitting <input type="hidden"> back
>to client - but this method is wrong.
Make an MD5 checksum of the username, password, and current time. Send the
MD5 checksum in a hidden field (or use a cookie). Keep a server-side cache
of the currently valid checksums (expire the old ones periodically), and
check the incoming checksum against the cache for each request.
-Michael Robinson