The steps to reproduce the error:
1) create a controller with requires_login()
2) make this controller post to itself (lets suppose this field is a credit card number)
3) login to application
4) go to controller and fill the credit card field / secret field, but not submit yet
5) hold until auth session expires
6) click the submit button
Now the secret field post or whatever data you are submitting is exposed into the URL as GET vars, and worse, saved into browser history
This happens b/c even post_vars are writen into the URL when requires_login is called.
This may be an issue if your app handles passwords, keys, secure data, secrets, etc...
Maybe the solution is to store post_vars into session during this kind of action?
Should we consider this as issue or not?