--- html/login.php	2008-07-24 16:57:13.000000000 +0200
+++ html/login.php.orig	2011-10-11 18:18:00.000000000 +0200
@@ -188,9 +188,16 @@
 # fixed $ServerID, $user_prefix, $hostname, $master_confixx
 #
 
+    /* don't store password in session unless necessary */
+    if (!in_array($_POST['_cat'], array("ftp", "pop3")))
+        $_POST['password'] = "";
+
     addSUser( $account_info['login'],
 							$_POST['password'],
 							$account_info['type'] );
+
+    /* delete password */
+    $_POST['password'] = "";
     
     if( $account_info['type'] == USERTYPE_MASTER ){