Index: trunk/admin/config.example.php
===================================================================
--- trunk/admin/config.default.php	(revision 902)
+++ trunk/admin/config.example.php	(revision 911)
@@ -1,13 +1,14 @@
 <?php
 
-// this is default config, DO NOT modify this file
-// copy this file and write your own config and name it as config.php
+// DO NOT modify this file
+// if you want to customize config, copy this file and name it as config.php
+// upgrading your config.php when config.example.php were upgraded
 
-// detected by browser
+// leave this setting unset to auto detect using browser request header
 // $config['lang'] = 'en-us';
 
 $config['charset'] = "UTF-8";
 
-// translators only
+// enable this for translators only
 $config['show_todo_strings'] = false;
 
@@ -21,7 +22,4 @@
 
 // this ob filter is applied for the cache list, not the whole page
-$config['path_nicer'] = 'ob_filter_path_nicer_default';
-
-/*
 function custom_ob_filter_path_nicer($list_html)
 {
@@ -30,9 +28,10 @@
 }
 $config['path_nicer'] = 'custom_ob_filter_path_nicer';
-*/
 
-// you can simply let xcache to do the http auth
-// but if you have your home made login/permission system, you can implement the following
-// {{{ home made login example
+// XCache builtin http auth is enforce for security reason
+// if http auth is disabled, any vhost user that can upload *.php, will see all variable data cached in XCache
+
+// but if you have your own login/permission system, you can use the following example
+// {{{ login example
 // this is an example only, it's won't work for you without your implemention.
 /*
@@ -42,5 +41,17 @@
 	session_start();
 
-	if (!user_logined()) {
+	if (user_logined()) {
+		user_load_permissions();
+		if (user_is_admin()) {
+			// user is trusted after permission checks above.
+			// tell XCache about it (the only secure way to by pass XCache http auth)
+			$_SERVER["PHP_AUTH_USER"] = "moo";
+			$_SERVER["PHP_AUTH_PW"] = "your-xcache-password-before-md5";
+		}
+		else {
+			die("Permission denied");
+		}
+	}
+	else {
 		if (!ask_the_user_to_login()) {
 			exit;
@@ -48,13 +59,4 @@
 	}
 
-	user_load_permissions();
-	if (!user_is_admin()) {
-		die("Permission denied");
-	}
-
-	// user is trusted after permission checks above.
-	// tell XCache about it (the only way to by pass XCache http auth)
-	$_SERVER["PHP_AUTH_USER"] = "moo";
-	$_SERVER["PHP_AUTH_PW"] = "your-xcache-password";
 	return true;
 }
@@ -66,5 +68,5 @@
 /* by pass XCache http auth
 $_SERVER["PHP_AUTH_USER"] = "moo";
-$_SERVER["PHP_AUTH_PW"] = "your-xcache-password";
+$_SERVER["PHP_AUTH_PW"] = "your-xcache-password-before-md5";
 */