After logging in to the showoff.php3 example, the password is set to "" in doChallengeResponse function in the crclogin.ihtml script. I verified this by adding an alert echoing its value. However, when I do an echo $password on the showoff.php3 script, I can still view the password. Shouldn't password be "" since it was explicitly set to this in the crclogin script? If I can read the value from its echo does that mean someone can sniff out the password?

Thanks for any help,