In the last commit (a2f785d) I added '\s' to the beginning of the preg_replace pattern so that 'email@example.com' wouldn't match, but this meant (unnumbered) output of lsc and lsprj wouldn't match either. Now the pattern matches any @ or + word with leading space or at the start of a line.
I liked using GET because you could bookmark URLs for specific listings. However, it's not a good choice because if you run, say, an `add` or a `do` in Mobile Safari, switch to another app or browser tab and then come back later, the page may reload on you and cause a repeat of your previous action, with potentially bad consequences. So I switched to POST.
There is now a "remember me" checkbox for the cookies. If it is checked, two cookies are set: one for the username and another is an md5 of the password. Each are now properly validated against values stored in includes/config.php. Thanks for the help, Emil!