+haggaeus Posted May 11, 2003 Share Posted May 11, 2003 When you login to geocaching.com, you are redirected to URL which contains your username and password in clear form: /login/default.asp?redir=&S=0&ID=&U=&username=haggaeus&password=mypasswordhere&Login=Login - so it can be seen in browser history, proxy logs, etc. It would be safer to use POST for login form and not to pass the password to GET URLs. Link to comment
+parkrrrr Posted May 12, 2003 Share Posted May 12, 2003 quote:Originally posted by Haggaeus:When you login to geocaching.com, you are redirected to URL which contains your username and password in clear form: Well, that's very odd. You're absolutely right that it uses GET, but I know it hasn't always been that way. I have a Perl script that logs in as me so it can download .loc files¹, and at the time that I wrote it the login process must have used POST, because that's what I used in the script. Anyone who's used LWP knows that POST is a bit harder to use than GET, so I must have thought it was necessary at the time. ¹ No, it's not a spider. Link to comment
+ClayJar Posted May 12, 2003 Share Posted May 12, 2003 I noticed the password in the GET query string a while back, but it passed out of my mind somewhere in the vast streams of Watcher code. Oops. I believe it's been there since the old-new forums (as opposed to the new-new forums or the old-old forums) and the unified forum/GCc logins they brought. (Oh, and by the way, fuzz, I just now actually read your sig for the first time... I say, that's the most rousing rendition of "The Cachers Who Don't Do Anything" that I've ever heard. *sniffle* ) [[[ ClayJar Networks ]]] Home of Watcher downloads, Official Geocaching Chat, and the Geocache Rating System Link to comment
Recommended Posts