Thanks for the background Sam. For a moment I panicked about the cookie hash vulnerability as I have legacy WP 2.1 (and bbpress 0.81) installs that are too customized to upgrade (I hack security fixes in manually) but then I read this:
*If* an attacker can gain read access to the wp_user table, for example due to a publicly visible backup or SQL injection vulnerability, a valid cookie can be generated for any account.
You’ve got bigger problems if an attacker can do a SQL injection or has access to your mysql backup. But I can definitely understand why they replaced it. Who the heck figures these vulnerabilities out though, wow.
Since bbShowcase is stand alone bbPress (for now) I’ll give the upgrade another shot later and try to understand what’s going on with the cookies/login.
I take it that 0.8.3.1 doesn’t use the new cookies though? At some point you might need to release 1075 as 0.8.3.5 or something like that?