We are not supposed to store credentials in
session, so storing a
blowfish secret there is not appropriate, IMO. This is why we have not
(yet) chosen 'cookie' as default auth_type.
It will be temporary credential to session only, I think it is okay to
store there.
Maybe choosing 'http' would be better as
a default?
I'm in favor for cookie, simply it is more user friendly.