On Sat, Oct 26, 2019 at 06:35:18PM +0800, Nala Ginrut wrote: > On Sat, Oct 26, 2019 at 3:49 PM wrote: > > > On Thu, Oct 24, 2019 at 09:39:04PM -0400, Mike Gerwitz wrote: > > > > thanks for your good overview... a question > > > > > Passing session tokens via GET requests is a bad idea, because that > > > leaks the token. > > > > Even in https? > > > > I guess he mean query-string with GET. That's another possibility. Both of them end up encrypted in HTTPS anyway. I decided against query string at that time because that saved me quite a bit of template substitution (use relative links). Cheers -- tomás