One new feature in zen-cart 1.3.8 was the addition of session/security token to the login form. This makes it harder to use XSS to hijack your session and is considered a good thing.

With version 0.9.2 this will also be done in ZenMagick. The beauty of sharing code to do things makes this transparent for the templates, so no changes to forms are required.

EDIT: The previous statement is, of course, not quite correct. The login box needs a wee change as it currently does not set the form id!

Even more, it’s possible to enable this feature on other (POST) forms as well, simply by adding the form id to a setting. This way even plugins may opt in to session token (the new OpenID plugin is going to do exactly that…)