Bug #22945
closedNo BE Login possible when loginSecurityLevel = normal
0%
Description
When setting $TYPO3_CONF_VARS['BE']['loginSecurityLevel'] to 'normal', the Backend-Login does not work at all.
The setting 'normal' causes the following:
- password is NOT encrypted on BE Login Form (via JS)
- password is checked against the DB value (which is of course the MD5 hash of the password)
=> therefore the BE login fails
Why the heck would anybody want the password to be transmitted as plaintext? Simple: we are using SSL (so plaintext is fine) and a service extension which needs the real/unencrypted password to authenticate the user against an external service, so loginSecurityLevel = normal for the BE is a must.
Apparently loginSecurityLevel setting for BE is implemented in a contradictory/inconsistent way in 4.3.x:
It seems not to be supported by the BE Login process, BUT when you are logged in and your session times out, the JS file /js/loginrefresh.js contains a check for the loginSecurityLevel on line 306:
if (TS.securityLevel 'superchallenged' || TS.securityLevel 'challenged') {
//
} else {
// this is executed when loginSecurityLevel = normal
// here we reach another bug - separate issue
}
(issue imported from #M14801)