Forum OpenACS Q&A: Re: RFC: Security policy for OpenACS (Security hole in OpenACS 5.1!)

Would they have to be in forms?  Or couldn't you just send an expiring cryptographic hash of some kind in the URL variables?