Bug #22945
closed
No BE Login possible when loginSecurityLevel = normal
0%
Description
When setting $TYPO3_CONF_VARS['BE']['loginSecurityLevel'] to 'normal', the Backend-Login does not work at all.
The setting 'normal' causes the following:
- password is NOT encrypted on BE Login Form (via JS)
- password is checked against the DB value (which is of course the MD5 hash of the password)
=> therefore the BE login fails
Why the heck would anybody want the password to be transmitted as plaintext? Simple: we are using SSL (so plaintext is fine) and a service extension which needs the real/unencrypted password to authenticate the user against an external service, so loginSecurityLevel = normal for the BE is a must.
Apparently loginSecurityLevel setting for BE is implemented in a contradictory/inconsistent way in 4.3.x:
It seems not to be supported by the BE Login process, BUT when you are logged in and your session times out, the JS file /js/loginrefresh.js contains a check for the loginSecurityLevel on line 306:
if (TS.securityLevel 'superchallenged' || TS.securityLevel 'challenged') {
//
} else {
// this is executed when loginSecurityLevel = normal
// here we reach another bug - separate issue
}
(issue imported from #M14801)
Updated by Alexander Opitz over 10 years ago
- Status changed from New to Needs Feedback
- Target version deleted (
0) - Is Regression set to No
Hi,
as this issue is very old. Does the problem still exists within newer versions of TYPO3 CMS (6.1)?
Updated by Alexander Opitz over 10 years ago
- Status changed from Needs Feedback to Closed
No feedback within the last 90 days => closing this ticket.
If you think that this is the wrong decision or experience this issue again, then please write to the mailing list typo3.teams.bugs with issue number and an explanation or open a new ticket and add a relation to this ticket number.