When I originally developed Security.php I planned on making the cache and other functions private so that other modules could not directly modify the Security cache. I then realized that the documentation I was looking at was for PHP5, and what I was doing would not work in PHP4.

Thus the design had to change, and security functions and the entire cache is exposed to any module that wants to poke at it.

Now that we're going to PHP5 Security could be done as originally envisioned, however it may have consequences if any modules are directly accessing the security cache, using cache_mgr, etc.

The question is, should Security be updated to take advantage of the new options for private class functions and variables in PHP5, or should we leave it as is and call it secure enough for our purpose?

The biggest worry for security is someone coding a module that would parse your bot.conf and send them your AO username/password. There is nothing the security module can really do about that one.

Possibly the worst thing someone could do is:

$this -> bot -> security -> cache = array();

Which would basically ban everyone until the bot was restarted or the 12 hour cron job came around and refreshed the security cache.

I'm leaning to the leave it as is myself, but I haven't decided yet.