To avoid some future hacks, it's better to remove all account id and character id occurrences in the control panel (code source, url, browser storage) for regular users.
They don't need the account id in the URL, since they can just check/modify their own account.
The character id can be replace by the character slot, more secured.
It should also be removed if it's a md5 hash, in the URL OR in the cookie.
The cookie should also not contain the md5 of the user password to avoid hack, really.
To avoid some future hacks, it's better to remove all account id and character id occurrences in the control panel (code source, url, browser storage) for regular users.
They don't need the account id in the URL, since they can just check/modify their own account. The character id can be replace by the character slot, more secured.
It should also be removed if it's a md5 hash, in the URL OR in the cookie. The cookie should also not contain the md5 of the user password to avoid hack, really.