Time string nah, if they're using a hash that woiuldnt make sence since the server wouldnt know that exact timestamp from *nix epoch so wouldnt be able to make the exact same hash. The variables used in the hash should be known to both the client and server. Since all the client sends to the server prior to the authentication hash is the macaddress, os, version, ip. That along with the PHP Session ID and all data they can get from db, is what will be used in the hash. So possible variables according to me would be..ipmacaddressosversionphp_session_idusernamepasswordAnyways I'm too busy for a couple of weeks, but we'll definately find a way around it 🙂 soon. Thanks for all your help max, we need it to kill Sify : P