store session pass as hash

This avoids having the blowfish encrypted pass stored together with the
decryption key on the same server.

inc/auth.php

@@ -209,8 +209,9 @@ function auth_login($user,$pass,$sticky=false,$silent=false){
                     $auth->useSessionCache($user) &&
                     ($session['time'] >= time()-$conf['auth_security_timeout']) &&
                     ($session['user'] == $user) &&
-                    ($session['pass'] == $pass) &&  //still crypted
+                    ($session['pass'] == sha1($pass)) &&  //still crypted
                     ($session['buid'] == auth_browseruid()) ){
+
                 // he has session, cookie and browser right - let him in
                 $_SERVER['REMOTE_USER'] = $user;
                 $USERINFO = $session['info']; //FIXME move all references to session
@@ -979,7 +980,7 @@ function auth_setCookie($user,$pass,$sticky) {
     }
     // set session
     $_SESSION[DOKU_COOKIE]['auth']['user'] = $user;
-    $_SESSION[DOKU_COOKIE]['auth']['pass'] = $pass;
+    $_SESSION[DOKU_COOKIE]['auth']['pass'] = sha1($pass);
     $_SESSION[DOKU_COOKIE]['auth']['buid'] = auth_browseruid();
     $_SESSION[DOKU_COOKIE]['auth']['info'] = $USERINFO;
     $_SESSION[DOKU_COOKIE]['auth']['time'] = time();