Jump to content
Sign in to follow this  
Followers 0
haggaeus

password visible in login URL

Recommended Posts

When you login to geocaching.com, you are redirected to URL which contains your username and password in clear form:

/login/default.asp?redir=&S=0&ID=&U=&username=haggaeus&password=mypasswordhere&Login=Login

- so it can be seen in browser history, proxy logs, etc. It would be safer to use POST for login form and not to pass the password to GET URLs.

Share this post


Link to post

quote:
Originally posted by Haggaeus:

When you login to geocaching.com, you are redirected to URL which contains your username and password in clear form:


 

Well, that's very odd. You're absolutely right that it uses GET, but I know it hasn't always been that way. I have a Perl script that logs in as me so it can download .loc files¹, and at the time that I wrote it the login process must have used POST, because that's what I used in the script. Anyone who's used LWP knows that POST is a bit harder to use than GET, so I must have thought it was necessary at the time.

 

¹ No, it's not a spider.

 

warm.gif

Share this post


Link to post

I noticed the password in the GET query string a while back, but it passed out of my mind somewhere in the vast streams of Watcher code. Oops. I believe it's been there since the old-new forums (as opposed to the new-new forums or the old-old forums) and the unified forum/GCc logins they brought.

 

(Oh, and by the way, fuzz, I just now actually read your sig for the first time... I say, that's the most rousing rendition of "The Cachers Who Don't Do Anything" that I've ever heard. *sniffle* icon_wink.gif)

 

[[[ ClayJar Networks ]]]

Home of Watcher downloads, Official Geocaching Chat, and the Geocache Rating System

Share this post


Link to post
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0

×
×
  • Create New...