Login should use POST and submit the username and password as part of the body #21
Comments
|
Thanks for your contribution & welcome to GitHub! We can definitely change that, it's a super simple change. However, I'm curious how you know that GET logins are being deprecated by Infinite Campus. Are you connected with I.C. in any way? Also: someone else brought up a similar issue earlier, see #17 |
|
You were correct in the other issue that HTTPS hides the query string. So the data is hidden in flight, but full urls often show up in other places such as server logs. Using POST bodies to send sensitive data is generally preferred to reduce the number of places were sensitive data may show up. |
|
Hm, that's an angle that I hadn't considered. In #17 I really only looked at it from the point of view of a MITM attack, but I hadn't considered server logs. As @arachno7 stated in the above-mentioned issue, switching to POST is basically a drop-in replacement. I'll try to push this change with #20 I'd love to keep maintaining this library but unfortunately, I no longer have access to an Infinite Campus account that is enrolled in any courses. This has made trying to test PRs and solve issues very difficult. I'll try my best to get this done in a reasonable amount of time. The way I see it, the only way this project can stay alive is either if Anyways, thanks for the heads up, I really appreciate people contributing to this little project. :) |
qwazwsx
added
enhancement
Login should use POST and submit the username and password as part of the request body rather than in the query string. Using GET and query string params for logins will be blocked by the Infinite Campus application in the near future.
The text was updated successfully, but these errors were encountered: