cookies – post method password change form

Password change form

Request

POST https://qoeuhswwetmn.net/password/change_passwd.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 111
Origin: https://qoeuhswwetmn.net
DNT: 1
Connection: keep-alive
Referer: https://qoeuhswwetmn.net/password/change_passwd.php
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Host: qoeuhswwetmn.net


username=and.tessen%40qoeuhswwetmn.net&OldPwd=Horset62%26L&NewPwd=gamer4Y2L21&NewPwdConf=gamer4Y2L21

Given the above intercepted request, are there any security issues?

The fact that there are no tokens, might that be a concern?

A user is actually compelled to know the old password and I think this is actually a good point.

Also, since there are no cookies (auth cookies) this means that multiple calls cannot be performed

Best practices related to sensitive form, would they imply the use of tokens?