Closed xota closed 5 years ago
backface
commented
6 years ago You are right, login is an HTTP GET request at the moment. I could change it to POST then you would not see it, but it's still sent unencrypted as any other plain HTTP form request. You can, however, access the platform also via https (but it's optional at the moment)
xota
commented
6 years ago but isn't it better and almost free to store something like md5(password) and send that to check
backface
commented
6 years ago Yes, you are right, passwords are stored encrypted - on the server side.
But it still needs to be sent to the server and verified (basically by checking whether it produces the same hash). Why not send the hash? The duplicated functionality does not add any security, as now an attacker could intercept and use the hash (no need for the clear text password anymore).
The easiest solution to this is to use an SSL encrypted connection. It might be an option to force use of HTTPS.
When trying to log in after some time running Turtlestitch (so browser was slowed down) I saw my password for some seconds in the URL :-(
Feature request: possibility to login while staying in project (aka "login to save")