The password was set into the session object and also retrieved from it in various scripts. These scripts did not use the password but echoed it sometimes in an URL for a next action (which did not use the password too). This is a security leak. Major modification of the scripts in this commit remove code to set/retrieve the password from the session object. Minor modifications are listed in the modification comments of the scripts. The deleted scripts were not used.
https://github.com/ABCD-DEVCOM/ABCD2/commit/05d0e5ba5d23025318a6b55c3088f59e150275eb