Or you could try to use a ticket - then you wouldn't need SSL: login once using OTP, get a cookie (or hidden form field, or URL) protected by MD5 and send that cookie around in the next requests http://www.modperl.com/book/chapters/ch6.html#Cookie_Based_Access_Control
2005/8/10, Dirk-Willem van Gulik <[EMAIL PROTECTED]>: > The problem is that each HTTP request carries a new password - so in the > general case you would run through a lot of those in short order. What > I've done routinely is have a 'login' on http application level; verify a > one time password theren and then issue a string cookie. And then allow > access based on the precense of that cookie (and a check that the > connection is over SSL, etc).
