It doesn't matter what other lawyers think - only what the FSF and the Joomla developers think.

Sorry for the delayed response here.

Are you still having problems with the Login2 function? I wasn't aware of that post.

If you have to pass the password through the URL, you should pass the encrypted password and set hash_passwrd to "1". The code we use to hash passwords is as follows:


{membername} = the username
{password} = the password

The URL will indeed be logged in the browser's history, because at some point, the browser is directed to that URL, whether directly (by clicking on something) or indirectly (being redirected there from another page). Server-side stats programs such as AWStats will also log the URL since the user visited that URL.

Passing the un-hashed password via the query string is extremely insecure - especially on public computers. This is a serious flaw that needs to be addressed. We have already made the decision to warn our users about this, and we would appreciate it if you addressed this.