Use a generated UUID stored in a cookie, instead of the session key, as a portion

of the encryption key we use to encrypt the password for storage in the session.

It should now be more or less impossible for an attacker to get the password, as
they need access to the browser and the server.

0 files changed, 0 insertions, 0 deletions