[MGNLUI-3459] Keep username on login error Created: 12/Jun/15  Updated: 13/Mar/17  Resolved: 13/Mar/17

Status: Closed
Project: Magnolia UI
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Neutral
Reporter: Magnolia International Assignee: Unassigned
Resolution: Won't Do Votes: 0
Labels: None
Remaining Estimate: 0d
Time Spent: 5h 35m
Original Estimate: Not Specified

Issue Links:
relation
is related to MGNLPUR-156 Keep username on login error Closed
is related to MGNLSTK-1488 Keep username on login error Closed
supersession
supersedes MGNLUI-1708 Username field should have focus afte... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Date of First Response:

 Description   

When a login error occurs, it's much more likely the password is wrong; we should (probably?) keep the username field filled in, and set the focus on the password field. (we currently have both fields empty, and focus set on username field in any case)



 Comments   
Comment by Federico Grilli [ 02/Jul/15 ]

I don't think we should use ?html because, if I'm not mistaken, chars like < > & are legit for a username and escaping them and then submitting would result in a login error

Comment by Jan Haderka [ 02/Jul/15 ]

but should such characters be allowed in the user name? does it make any sense?

Comment by Federico Grilli [ 02/Jul/15 ]

Probably not but that's how it is now. I think, at least for the issue at hand, we should not do any escaping.

Comment by Jan Haderka [ 02/Jul/15 ]

no escaping is security vulnerability. anything that comes with the request has to be treated as potentially unsafe thus ignored or escaped. I would much rather ignore (i.e. not enable this feature for anyone w/ special char in name) then have something that can do injection ... specially on a page where you enter your password.

Comment by Magnolia International [ 03/Jul/15 ]

Before anything happens, we need an answer to the question in the description of this ticket.
And it certainly doesn't belong in maintenance, unless we identify this as a problem that prevents older version from working correctly. ( .... )
Lastly, as Jan points out, security concerns need to be addressed first and foremost, and the login form itself is probably not the place to do that.

Generated at Mon Feb 12 09:06:49 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.