insecure authentication system

[ed588]

the way you are handling authentication is by setting a cookie to a string kept in a config file.

this is very insecure and you should use a different method, because anyone who intercepts the cookie knows the authentication secret.

at the very least, you should hash it in some way.

[Bentechy66]

This system is designed for https servers

[oliverh57]

Hashing the cookie would be of no merit. It is just used as a random string to check that all requests to the reverse proxy PHP are real. In an upcoming release, I want to make cookie change based on the time and the starting auth code.

Another feature required is a sign out button to delete the cookie and close the session.

I will add a section to the readme stating that HTTPS must be used.

[Bentechy66]

I would assume hashing the cookie is to protect against man in the middle attacks.