do not allow empty passwords
When a username but no password is submitted, the login is denied right away instead of relying on the backend to refuse the login.
This commit is contained in:
parent
bd281746d3
commit
ee84e0b5e9
|
@ -229,7 +229,7 @@ function auth_login($user, $pass, $sticky = false, $silent = false) {
|
|||
|
||||
if(!empty($user)) {
|
||||
//usual login
|
||||
if($auth->checkPass($user, $pass)) {
|
||||
if(!empty($pass) && $auth->checkPass($user, $pass)) {
|
||||
// make logininfo globally available
|
||||
$INPUT->server->set('REMOTE_USER', $user);
|
||||
$secret = auth_cookiesalt(!$sticky, true); //bind non-sticky to session
|
||||
|
|
Loading…
Reference in New Issue