Index: wp-admin/includes/misc.php
===================================================================
--- wp-admin/includes/misc.php	(revision 6349)
+++ wp-admin/includes/misc.php	(working copy)
@@ -140,7 +140,8 @@
 	// Clear cookies for old paths.
 	wp_clearcookie();
 	// Set cookies for new paths.
-	wp_setcookie( $user_login, $user_pass_md5, true, get_option( 'home' ), get_option( 'siteurl' ));
+	// TODO: Review this - suspect the user will have to log in again.
+	//wp_setcookie( $user_login, $user_pass_md5, true, get_option( 'home' ), get_option( 'siteurl' ));
 }
 
 add_action( 'update_option_home', 'update_home_siteurl', 10, 2 );
Index: wp-includes/pluggable.php
===================================================================
--- wp-includes/pluggable.php	(revision 6349)
+++ wp-includes/pluggable.php	(working copy)
@@ -46,8 +46,8 @@
 	if ( ! empty($current_user) )
 		return;
 
-	if ( empty($_COOKIE[USER_COOKIE]) || empty($_COOKIE[PASS_COOKIE]) ||
-		!wp_login($_COOKIE[USER_COOKIE], $_COOKIE[PASS_COOKIE], true) ) {
+	if ( empty($_COOKIE[USER_COOKIE]) || empty($_COOKIE[AUTH_COOKIE]) ||
+		!wp_validatecookie($_COOKIE[USER_COOKIE], $_COOKIE[AUTH_COOKIE]) ) {
 		wp_set_current_user(0);
 		return false;
 	}
@@ -293,29 +293,21 @@
 endif;
 
 if ( !function_exists('wp_login') ) :
-function wp_login($username, $password, $already_md5 = false) {
-	global $wpdb, $error;
+function wp_login($username, $password, $deprecated) {
+	global $error;
 
-	$username = sanitize_user($username);
-
-	if ( '' == $username )
-		return false;
-
 	if ( '' == $password ) {
 		$error = __('<strong>ERROR</strong>: The password field is empty.');
 		return false;
 	}
 
 	$login = get_userdatabylogin($username);
-	//$login = $wpdb->get_row("SELECT ID, user_login, user_pass FROM $wpdb->users WHERE user_login = '$username'");
 
 	if (!$login) {
 		$error = __('<strong>ERROR</strong>: Invalid username.');
 		return false;
 	} else {
-		// If the password is already_md5, it has been double hashed.
-		// Otherwise, it is plain text.
-		if ( ($already_md5 && md5($login->user_pass) == $password) || ($login->user_login == $username && $login->user_pass == md5($password)) ) {
+		if ( ($login->user_login == $username && $login->user_pass == md5($password)) ) {
 			return true;
 		} else {
 			$error = __('<strong>ERROR</strong>: Incorrect password.');
@@ -340,11 +332,11 @@
 function auth_redirect() {
 	// Checks if a user is logged in, if not redirects them to the login page
 	if ( (!empty($_COOKIE[USER_COOKIE]) &&
-				!wp_login($_COOKIE[USER_COOKIE], $_COOKIE[PASS_COOKIE], true)) ||
+				!wp_validatecookie($_COOKIE[USER_COOKIE], $_COOKIE[AUTH_COOKIE])) ||
 			 (empty($_COOKIE[USER_COOKIE])) ) {
 		nocache_headers();
 
-		wp_redirect(get_option('siteurl') . '/wp-login.php?redirect_to=' . urlencode($_SERVER['REQUEST_URI']));
+		wp_redirect(get_option('siteurl') . '/wp-login.php?auth=expired&redirect_to=' . urlencode($_SERVER['REQUEST_URI']));
 		exit();
 	}
 }
@@ -376,11 +368,11 @@
 		foreach ( $cookie as $tasty ) {
 			if ( false !== strpos($tasty, USER_COOKIE) )
 				$user = substr(strstr($tasty, '='), 1);
-			if ( false !== strpos($tasty, PASS_COOKIE) )
+			if ( false !== strpos($tasty, AUTH_COOKIE) )
 				$pass = substr(strstr($tasty, '='), 1);
 		}
 
-		if ( $current_name != $user || !wp_login( $user, $pass, true ) )
+		if ( $current_name != $user || !wp_validatecookie( $user, $pass ) )
 			die('-1');
 	}
 	do_action('check_ajax_referer');
@@ -473,9 +465,12 @@
 
 if ( !function_exists('wp_setcookie') ) :
 function wp_setcookie($username, $password, $already_md5 = false, $home = '', $siteurl = '', $remember = false) {
-	if ( !$already_md5 )
-		$password = md5( md5($password) ); // Double hash the password in the cookie.
 
+	$user = get_userdatabylogin($username);
+	//Generate a new authentication cookie.
+	$auth = wp_hash(wp_salt() . $username . uniqid( microtime() ));
+	update_usermeta($user->ID, 'wp_authentication_cookie', wp_hash($auth) ) ;
+	
 	if ( empty($home) )
 		$cookiepath = COOKIEPATH;
 	else
@@ -495,11 +490,13 @@
 		$expire = 0;
 
 	setcookie(USER_COOKIE, $username, $expire, $cookiepath, COOKIE_DOMAIN);
-	setcookie(PASS_COOKIE, $password, $expire, $cookiepath, COOKIE_DOMAIN);
+	setcookie(AUTH_COOKIE, $auth, $expire, $cookiepath, COOKIE_DOMAIN);
+	//setcookie(PASS_COOKIE, $password, $expire, $cookiepath, COOKIE_DOMAIN);
 
 	if ( $cookiepath != $sitecookiepath ) {
 		setcookie(USER_COOKIE, $username, $expire, $sitecookiepath, COOKIE_DOMAIN);
-		setcookie(PASS_COOKIE, $password, $expire, $sitecookiepath, COOKIE_DOMAIN);
+		setcookie(AUTH_COOKIE, $auth, $expire, $sitecookiepath, COOKIE_DOMAIN);
+		//setcookie(PASS_COOKIE, $password, $expire, $sitecookiepath, COOKIE_DOMAIN);
 	}
 }
 endif;
@@ -508,8 +505,10 @@
 function wp_clearcookie() {
 	setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
 	setcookie(PASS_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
+	setcookie(AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
 	setcookie(USER_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
 	setcookie(PASS_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
+	setcookie(AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
 }
 endif;
 
@@ -700,4 +699,32 @@
 }
 endif;
 
+if ( !function_exists('wp_validatecookie') ) :
+function wp_validatecookie($username, $auth_cookie) {
+	global $error;
+
+	$login = get_userdatabylogin($username);
+
+	if (!$login) {
+		$error = __('<strong>ERROR</strong>: Invalid username.');
+		return false;
+	} else {
+		$auth = get_usermeta($login->ID, "wp_authentication_cookie" );
+		if ( ( '' != $auth ) && ($login->user_login == $username ) && ( wp_hash( $auth_cookie ) == $auth ) ) {
+			return true;
+		} else {
+			wp_clearcookie();
+			$error = __('<strong>ERROR</strong>: Authentication Cookie Invalid.');
+			return false;
+		}
+	}
+}
+endif;
+
+
+
+
+
+
+
 ?>
Index: wp-login.php
===================================================================
--- wp-login.php	(revision 6349)
+++ wp-login.php	(working copy)
@@ -345,6 +345,7 @@
 	elseif	( 'confirm' == $_GET['checkemail'] )	$errors['confirm']			= __('Check your e-mail for the confirmation link.');
 	elseif	( 'newpass' == $_GET['checkemail'] )	$errors['newpass']			= __('Check your e-mail for your new password.');
 	elseif	( 'registered' == $_GET['checkemail'] )	$errors['registered']		= __('Registration complete. Please check your e-mail.');
+	elseif  ( 'expired' == $_GET['auth'] )			$errors['auth']   			= __('Your cookie has expired please log back in.');
 
 	login_header(__('Login'));
 ?>
Index: wp-settings.php
===================================================================
--- wp-settings.php	(revision 6349)
+++ wp-settings.php	(working copy)
@@ -189,7 +189,9 @@
 	define('USER_COOKIE', 'wordpressuser_'. COOKIEHASH);
 if ( !defined('PASS_COOKIE') )
 	define('PASS_COOKIE', 'wordpresspass_'. COOKIEHASH);
-if ( !defined('TEST_COOKIE') )
+if ( !defined('AUTH_COOKIE') )
+	define('AUTH_COOKIE', 'wordpressauth_'. COOKIEHASH);
+	if ( !defined('TEST_COOKIE') )
 	define('TEST_COOKIE', 'wordpress_test_cookie');
 if ( !defined('COOKIEPATH') )
 	define('COOKIEPATH', preg_replace('|https?://[^/]+|i', '', get_option('home') . '/' ) );