#13 security flow in the login form

[Arnaud Abélard]

by passing the username and password in the url of the login form, one can foul anyone to logon with the wrong identity.

When you use the following url to access the login form:

http://cas.server.com/esup-cas-server/login?username=validusername&password=validpassword

the form will appear empty, but once the user enters his/her username/password and validates, it's actually the values passed in the URL that are validated. The user logs on with the wrong identity.