Comment by MrMid
7 years ago
Well, a while ago I saw this code (on my own project!): window.open("?controller=users&action=changePassword&name=" + user_name + "&password=" + password)
I was horrified, glad it isn't live yet, and I fixed it immediately. But I'm still wondering whether I was so sleep-deprived or drunk when I wrote this. It's over SSL, so it should not be that big deal, but still, GET shouldn't be used for such things.
Well you don’t seem to validate the existing password prior to authorizing the change.
Good CSRF protection on GET requests is also near impossible to implement as GET is intended to be a “safe” request as in a request that does not modify a state but this isn’t something that is actually practiced.
Actually, I do. This is not a form for user to change his own password, rather a administrators form to change another user's form. And for such actions the administrators identity and privileges are checked. But I understand your reasoning and thank you for pointing it out.
And yeah, I try to use GET only for safe requests, but I should be more careful.
Another big deal is that it'll get stored in server logs too.
It's a big deal since it will be visible in access logs in plaintext, so if the logs are compromised your users would be too.