Bug #46656 for Catalyst-Authentication-Store-DBIx-Class: Wishlist: prevent passwords (plain or hashed) from being stored in $c->session hash

Hi, I have been dealing with the question whether it is possible to prevent users' passwords (plain or hashed) being stored in session hash as I use session::store::file and thus these quite sensitive information is stored somewhere on filesystem. I know that I have carefully set filesystem permissions to mitigate this risk, however I cannot find out any good reason why to keep password/hash in the session. After a short discussion on IRC I was pointed out to option use_userdata_from_session. However the $c->session->{'__user'} seems to have the same content (incl. password field) if I set use_userdata_from_session to 1 or 0. Some people in discussion stated that it should work slightly differently - just store user_id (not all data) in session hash - but this idea was probably left commented out in code of for_session() and from_session(). If putting the complete user record (incl. password/hash) into session is intended behaviour (maybe not) I would like to ask whether it is possible to configure somehow which columns are not copied into session hash. Based on IRC discussion I have come into conclusion that for_session method of auth::store is the right place for this sort of censorship. I mean something like setting configuration parameter: "for_session_exclude=password" tells the store not to put password column into return value of for_session. Thanks in advance for any feedback. -- kmx