Created attachment 37574 [details] patch to implement "AuthFormDisablePwStore" directives and its function Currently "mod_auth_form" has the possibility to set an "SitePassphrase". When "SitePassphrase" is set then mod_auth_form uses the SitePassphrase + user stored in the session for authentication instead user+password for every access - of course after a inital authentication with user+password. So "mod_auth_form" does not have to store the user-password in the session after inital authentication when using "SitePassphrase", but it does. For security-reasons it is a good idea to NOT storning the user-password in the session, when using "SitePassphrase". Especially when "mod_session_dbd" is used (to store session data on the server side) using a database which resists on the same machine as httpd, the server-admin can easily capture all passwords (even when using "mod_session_crypto"). My patch introduce a new directives for "mod_auth_form" called "AuthFormDisablePwStore". When "AuthFormDisablePwStore" is set to "On" (default "Off"), "mod_auth_form" will be prevented from storing the user-password in the session. If "AuthFormDisablePwStore" is set to "On" and "SitePassphrase" is NOT set, "AuthFormDisablePwStore" will be ignored.