Session regen's, and lifespan's

[circuitbomb]

The user session needs to be regenerated at login and if the user-agent changes during a session.
Also passwords shouldnt be stored session side, even with a salt, perhaps use another unique string in place (md5(mt_rand()))
Also session lifetime should be set:

[circuitbomb]

well considering a couple of these are specified in the config, I suppose it would only be necessary to regenerate the session on specific changes

[thody]

Yeah, that's what I was thinking. Thanks for pointing out the pw in the session, looks like that was happening in the update method when the user updated their pw. Patched now.

[circuitbomb]

Closing this in lue of persistence and that pw is no longer stored session side.