Insecure Login

chalupas Sep 16, 2003 1:12 AM

When I have got a new account I see new message like 'Login to change your info', where Login has a hyperlink whith parameters ...uname=mylogin&pass=mypass.
This means that login and password send by HTTP GET, and I'll have some problem - everyone who can see access.log file can get my personal data.

1. Re: Insecure Login

julien1 Sep 16, 2003 4:37 AM (in response to chalupas)

I see, you would prefer a POST method instead of GET ?
Actions
2. Re: Insecure Login

chalupas Sep 29, 2003 2:57 AM (in response to chalupas)

I would prefer send SESSION_ID instead of login/password (POST or GET)
Actions
3. Re: Insecure Login

julien1 Sep 29, 2003 11:59 AM (in response to chalupas)

so what you say is to put the created user directly in the session ?
did you look at the nukes code ?

julien
Actions

Go to original post