TYPO3 Core

When setting $TYPO3_CONF_VARS['BE']['loginSecurityLevel'] to 'normal', the Backend-Login does not work at all.

The setting 'normal' causes the following:
- password is NOT encrypted on BE Login Form (via JS)
- password is checked against the DB value (which is of course the MD5 hash of the password)
=> therefore the BE login fails

Why the heck would anybody want the password to be transmitted as plaintext? Simple: we are using SSL (so plaintext is fine) and a service extension which needs the real/unencrypted password to authenticate the user against an external service, so loginSecurityLevel = normal for the BE is a must.

Apparently loginSecurityLevel setting for BE is implemented in a contradictory/inconsistent way in 4.3.x:

It seems not to be supported by the BE Login process, BUT when you are logged in and your session times out, the JS file /js/loginrefresh.js contains a check for the loginSecurityLevel on line 306:

if (TS.securityLevel 'superchallenged' || TS.securityLevel 'challenged') {
//
} else {
// this is executed when loginSecurityLevel = normal
// here we reach another bug - separate issue
}

(issue imported from #M14801)