Do not store password in clear text in session when password store option is enabled
We currently have an option to store the password in session (disabled by default), which could be used to replay password with Auth Basic or Form replay.
Even if we strongly discourage the usage of this option, we could improve it by storing a ciphered value of the password in session, and decrypt it when needed.
So far, what need to be done:
- Have a new option to cipher the password (should be true by default)
- Have a new option to set a key (if no key, the default key will be used)
- Add a decrypt extended function (the reverse of https://lemonldap-ng.org/documentation/latest/extendedfunctions.html#encrypt)