On Wed, 10 Aug 2005, Alexander Farber wrote: > Or you could try to use a ticket - then you wouldn't need SSL: login > once using OTP, get a cookie (or hidden form field, or URL) protected by > MD5 and send that cookie around in the next requests > http://www.modperl.com/book/chapters/ch6.html#Cookie_Based_Access_Control
You propably want to do that over SSL - or very tightly bind that crypto cookie to the client IP (and hope that there aint no NAT) - as otherwise sniffing and reusing that plaintext cookie sort of defeats the one-time password semantics. Dw.
