It still won't work because the password hash goes over the network in clear, so all I have to do is sniff the cookie and feed it back to you. I needn't decrypt it - I already know it's a valid password hash as long as the user doesn't change his password.

If you want the client to actively encrypt the data using some sort variable token not sent across the network, well, that's exactly what SSL does.

(Still, it would have been nice if HTTP natively had some sort for secure authentication like APOP's challenge-response mechanism. Alas, it doesn't (and can't - it's a stateless protocol).)

Makeshifts last the longest.