I just tagged version 1.2 of the http-authentication plugin, which includes a security fix. Users of previous versions are urged to upgrade.

Previously it was possible for one authorized user to impersonate another by forging their WordPress login cookie. A malicious user would need to be authorized via your external authentication mechanism first. Thanks to Mark Quinn for reporting this.

I apologize for the inconvenience. If you have any questions, post them here or, if they are security sensitive, email me.

Update: When you upgrade, please edit each user’s profile in WordPress to scramble his or her password in the database.