Passing password to login form via GET?

kenw232 · September 15, 2013, 09:16:51 PM

I noticed going to a URL like this will auto-populate the username but not the password:
http://demo.roundcube.net/mail/[email protected]&_pass=demopwd

Any easy way to get the latest version of roundcube to auto-populate _pass too?

SKaero · September 15, 2013, 09:54:44 PM

Thats a terrible way to pass a password. If you want to do something like that use the http_authentication plugin.

kenw232 · September 15, 2013, 11:03:53 PM

why is it so bad? its just passing a string into a input's "value" variable. not a big deal. much easier then some plugin I have to fight.

In fact add this to the top of index.php and now the get variable of _user= can now just be user= without the _

if ($_GET['user'] <> "") : $_GET['_user'] = $_GET['user']; endif;

SKaero · September 16, 2013, 12:17:35 AM

Passing the password in the get sting puts it in the browser history and passed the password in clear text as part of the request. Its highly insecure.

Passing password to login form via GET?

kenw232

SKaero

kenw232

SKaero