2 replies to this topic

[Crane]

This might be more of a suggestion, but it is a technical issue... I would like to suggest reprogramming the trading pages on the website to use HTTP "POST" submission method, rather than HTTP "GET", for two reasons...

1) It violates the HTML specification, as the form isn't genuinely "idempotent" (the only time that it is recommended to use "GET").
2) The user's account password appears in the address bar (as plaintext) after it is submitted.

[Crane]

This topic got quickly buried by another issue, but I can't help but feel that the password appearing as plaintext is a big security hole.

[Yggdrasill]

Ticket from me to JLH...

Me: When using the site to class change a character, it asks for the name of the character and the account password and you click Next button. The new page loads and your character name and password are both displayed in plain text in the URL. Can't believe I never noticed this in the 8ish years I've been changing characters.

Oracle: Marking for JLH to review as he's the only one that can change code based things like that.

JLH: you are correct, that's how i did it many many years ago - there is no problems with this (unless someone is reading your internet history or watching your screen).
i guess it wouldn't hurt if i encoded it.


This is from quite a while back but there you have it.