I’ve just checked in some changes that allow the auto_login plugin to use the token service plugin.
The way this works is that not the user password is stored in the cookie, but a generated, time limited hash value (the token). The association of the user and hash value are stored in the database.

Also, this removes the need for storing the user id in the cookie, which should make things also a bit more safe.

The trickiest bit of all this is actually that the token plugin needs to be sorted in a way that it is loaded before the auto_login plugin, but that is trivial using the sort order in the Plugin Manager. (This actually reminds me that I always wanted to have a nicer Plugin Manager interface. Maybe now would be a good time….)

Please note that the wiki pages will hopefully be updated once the plugins are live!

Next on the list of things to do with the token service.