+haggaeus Posted May 11, 2003 Posted May 11, 2003 When you login to geocaching.com, you are redirected to URL which contains your username and password in clear form: /login/default.asp?redir=&S=0&ID=&U=&username=haggaeus&password=mypasswordhere&Login=Login - so it can be seen in browser history, proxy logs, etc. It would be safer to use POST for login form and not to pass the password to GET URLs.
+parkrrrr Posted May 12, 2003 Posted May 12, 2003 quote:Originally posted by Haggaeus:When you login to geocaching.com, you are redirected to URL which contains your username and password in clear form: Well, that's very odd. You're absolutely right that it uses GET, but I know it hasn't always been that way. I have a Perl script that logs in as me so it can download .loc files¹, and at the time that I wrote it the login process must have used POST, because that's what I used in the script. Anyone who's used LWP knows that POST is a bit harder to use than GET, so I must have thought it was necessary at the time. ¹ No, it's not a spider.
+ClayJar Posted May 12, 2003 Posted May 12, 2003 I noticed the password in the GET query string a while back, but it passed out of my mind somewhere in the vast streams of Watcher code. Oops. I believe it's been there since the old-new forums (as opposed to the new-new forums or the old-old forums) and the unified forum/GCc logins they brought. (Oh, and by the way, fuzz, I just now actually read your sig for the first time... I say, that's the most rousing rendition of "The Cachers Who Don't Do Anything" that I've ever heard. *sniffle* ) [[[ ClayJar Networks ]]] Home of Watcher downloads, Official Geocaching Chat, and the Geocache Rating System
Recommended Posts