When I login with the ajax login form, I noticed that from that point on, my urls contain both my username and password in plaintext.
ie https://my-site.unfuddle.com/…?ajax_username=my-username&ajax_password=my-password.

That isn’t very secure. This only happens when my session expires while I’m working in unfuddle and the ajax popup comes up.

Kleinmp,

You are right. This is insecure and completely unacceptable.

This issue was the unfortunate result of a very recent (within the last 24 hours) deploy. Please note that the issue only persisted for a few hours earlier today and has since been fixed.

If you have not done so already, please clear your cache and reload Unfuddle in your browser to make sure you have the updated interface.

I apologize for the inconvenience.