https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21325 Bug ID: 21325 Summary: Should we still allow user and password via GET parameters? Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: normal Priority: P5 - low Component: Authentication Assignee: koha-bugs@lists.koha-community.org Reporter: m.de.rooy@rijksmuseum.nl QA Contact: testopia@bugs.koha-community.org CC: dpavlin@rot13.org In testing bug 13779, I just noticed that an URL like this works: https://[your_domain]/cgi-bin/koha/opac-reserve.pl?biblionumber=[some_biblionumber]&userid=[your_userid]&password=[your_password] Obviously, we should not expose credentials like that. But it raises the question: should we allow it then? -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.