Backend uses AJAX for login so this is expected.

Just case its expected doesn't mean its right :)

@SharkyKZ is this something we could make happen with AJAX for consistency or is this something that has to remain this way due to using AJAX?

Technically it can change but that would make AJAX completely pointless here. So might as well just remove it.

I wouldnt advocate for removing something just for a consistency adjustment. I know there was a reason we moved the backend login to AJAX, but have forgotten.

@wilsonge are you in agreement that this is expected behavior as this is using AJAX?

I don’t know of any other website or service that would show you your failed password or 2fA string after a failed login attempt.

The most that should be retained on failed login (like GitHub login itself) is the username

Sent from my iPhone

On 9 Jun 2020, at 14:31, Jacob Waisner notifications@github.com wrote:


I wouldnt advocate for removing something just for a consistency adjustment. I know there was a reason we moved the backend login to AJAX, but have forgotten.

@wilsonge are you in agreement that this is expected behavior as this is using AJAX?

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or unsubscribe.

Nothing is being stored anywhere. The page simply does not get refreshed.

I never said it gets stored, I said it did not get removed. It should be removed.

Do you remove data from forms submitted by AJAX when the submission returns a 4xx or 5xx error? If no, why should a login form be different?

I don't have time to go incognito and try the logins for a dozen different services to see if their login forms do proper form submissions or AJAX based requests (why the admin login page was rewritten to use AJAX I still don't understand), but it seems somewhat counter-intuitive to write even more JavaScript for a page that should require zero JavaScript to function to wipe out the form's fields in the "submit" event just to emulate a "proper" POST request.

Unless someone can explain why it was added in the first place, here's PR for removing AJAX #29571.

I guess if we are removing the Ajax, then the security issue I reported will become null and void, because at the moment the Ajax login has a security issue too...

Which issue are you talking about?

The issue I have reported to the JSST.

Do you remove data from forms submitted by AJAX when the submission returns a 4xx or 5xx error? If no, why should a login form be different?

Because its a login form.

I don't have time to go incognito and try the logins for a dozen different services

I did, I never found one using Ajax, but all the login forms I tested, without fail, all removed the password value from the password field on failed authentication.

Even Joomla 3 removes not only the failed password, but the username and secret key, when a posted authentication form is rejected

seems somewhat counter-intuitive to write even more JavaScript for a page that should require zero JavaScript to function to wipe out the form's fields in the "submit" event just to emulate a "proper" POST request.

• its one line of code to remove the failed password on Ajax login failure
• Im not saying all the fields should be wiped out on submit, Im saying only the password field should be removed, and only on failure to authenticate

a page that should require zero JavaScript to function

Well there is also a proposal #29571 to remove the Ajax login, just muting and rendering this issue void... ironically then, the password field is removed on failed login on a standard POST ;-) (I assume, like joomla 3, not tested)

#29571 was merged. Closing this.