aka: Failed form validation profills failed password and 2FA fields in Joomla 4
Comparison with Joomla 3 for information only.
attempt to login to Joomla 3.* admin console with a fake password
attempt to login to Joomla 4.* admin console with a fake password
attempt to login to Joomla 3.* with a fake password = both username and password are empty on failing validation, 2FA Secret Key is removed from form
attempt to login to Joomla 4.* with a fake password = both username and password are empty on failing validation, or at least the password is empty, 2FA Secret Key is removed from form
attempt to login to Joomla 3.* with a fake password = both username and password are empty on failing validation, 2FA Secret Key is removed from form
attempt to login to Joomla 4.* with a fake password = both username and password are pre completed with the failed information, 2FA Secret Key is pre populated with failed information
Note that on the FRONTEND all fields are empty on failed login, and that the bug is on the admin login on /administrator/ only
Labels |
Added:
?
|
Just case its expected doesn't mean its right :)
Technically it can change but that would make AJAX completely pointless here. So might as well just remove it.
I don’t know of any other website or service that would show you your failed password or 2fA string after a failed login attempt.
The most that should be retained on failed login (like GitHub login itself) is the username
Sent from my iPhone
On 9 Jun 2020, at 14:31, Jacob Waisner notifications@github.com wrote:
I wouldnt advocate for removing something just for a consistency adjustment. I know there was a reason we moved the backend login to AJAX, but have forgotten.@wilsonge are you in agreement that this is expected behavior as this is using AJAX?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
Nothing is being stored anywhere. The page simply does not get refreshed.
I never said it gets stored, I said it did not get removed. It should be removed.
Do you remove data from forms submitted by AJAX when the submission returns a 4xx or 5xx error? If no, why should a login form be different?
I don't have time to go incognito and try the logins for a dozen different services to see if their login forms do proper form submissions or AJAX based requests (why the admin login page was rewritten to use AJAX I still don't understand), but it seems somewhat counter-intuitive to write even more JavaScript for a page that should require zero JavaScript to function to wipe out the form's fields in the "submit" event just to emulate a "proper" POST request.
I guess if we are removing the Ajax, then the security issue I reported will become null and void, because at the moment the Ajax login has a security issue too...
Which issue are you talking about?
The issue I have reported to the JSST.
Do you remove data from forms submitted by AJAX when the submission returns a 4xx or 5xx error? If no, why should a login form be different?
Because its a login form.
I don't have time to go incognito and try the logins for a dozen different services
I did, I never found one using Ajax, but all the login forms I tested, without fail, all removed the password value from the password field on failed authentication.
Even Joomla 3 removes not only the failed password, but the username and secret key, when a posted authentication form is rejected
seems somewhat counter-intuitive to write even more JavaScript for a page that should require zero JavaScript to function to wipe out the form's fields in the "submit" event just to emulate a "proper" POST request.
a page that should require zero JavaScript to function
Well there is also a proposal #29571 to remove the Ajax login, just muting and rendering this issue void... ironically then, the password field is removed on failed login on a standard POST ;-) (I assume, like joomla 3, not tested)
Status | New | ⇒ | Closed |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2020-10-21 06:49:46 |
Closed_By | ⇒ | SharkyKZ |
Backend uses AJAX for login so this is expected.