Securing CompStrm

I seem to have my security hat on lately. Been thinking about biting the javascript and implementing a sha challenge into the logon page. That would be a whole lot nicer than passing the password in the clear each time. (I'd still pass it in the clear during registration.)

Anyway, today I fixed the security holes in my use of cookies (unreleased):

1. Cookies have been enhanced. Rather than carrying the internal form of the password (a sha hash of the password + a constant), cookies now carry the expiration timestamp and a sha hash of the internal password + the expiration timestamp.
   
2. When validating a cookie, the timestamp from the cookie is first checked to see if it has expired.