Login
Ratjoy.com » Forums » Suggestions, Technical Support and Feedback » Possible security issue?

Possible security issue?


Derp Aderp
RJ: Bertha Van Ation
CO: Fancy McPants

Post Rating: 0
+ / -

Total Posts: 22
Karma: -4
Joined: Apr 5, 2012
Posted on Apr 13, 2012
For login, AJAX calls are done using GET, to this URL:
http://www.ratjoy.com/login.php?username=<username> &password=<passwd>&nocache=<random>

That means all login information for all players are stored in clear in the apache logs, unless I'm mistaken. Wouldn't it be better to use a POST for login? I'm sure the server is secure, but you never know what happens and if someone gets access to the server, he would not need to crack the passwords from the DB but just check the apache access logs.
Scott (Admin)
RJ: Ratan Joyce
CO: Ratan Joyce

Post Rating: 0
+ / -

Total Posts: 1175
Karma: 5083
Joined: Jan 13, 2012
Posted on Apr 13, 2012 (Last edited on Apr 13, 2012)
Technically I believe there are no difference:

http://stackoverflow.com/questions/198462/get-versus-post -in-terms-of-security

In practice, I see your point, it does feel a little better, so it's changed.


AND if you're paranoid, you can always use:

https://www.ratjoy.com

to log in.
Billy Vierra
RJ: Saffrian
CO: Billy Vierra

Post Rating: 0
+ / -

Total Posts: 84
Karma: 100
Joined: Apr 10, 2012
Posted on Apr 13, 2012
Technically there is no difference, but if you look at your raw logs for the server (if they are the default logging method) for a request using GET you will see (for the page requested) something like login.php?username=<username>&password=<passwd>& nocache=<random>

When using POST you will see login.php (without everything else).

The difference only matters if a bad guy gets a look at the logs that use GET for the login, they will get the username and password. If they look at the logs that use POST for the login, they only see that login.php was requested :)

Using HTTPS will secure the traffic to and from the server, however it will not prevent the server from logging the parameters after decryption of the traffic.


You need to register or login to post a reply.