RootPage.loginUser can lead to sensitive information leak

[rcaa]

RootPage.app().authentication().setCookie(request, response, user);

The user argument contains sensitive information, such as user password. The user password is combined with user login to form a hash using SHA-1 algorithm. However, this is a weak algorithm, and tools like hash killer can easily decrypt billions of hashes.

I would suggest avoiding passing user password to setCookie(). This would help to prevent someone accessing our accounts when they have access to our browser cookies.

[gitblit]

Hi @rcaa. Thanks for the report. Perhaps you'd be willing to submit a PR?

[rcaa]

Sure, @gitblit . I have submitted a pull request just now.