When using passwords and session tokens, as in Servlets 4b, is it ever acceptable to use hidden form fields with a GET method request? The token is by no means hidden. It clearly appears in the URL. So why call it hidden? Does the assignment require that it be totally hidden or is that programmer's discretion?