Modernization of the login and registration method.

  • Hello,

    We originally had the login form placed inside a dialog overlay and have finally removed it in version 5.5. The reason is that those login overlays are a potential security issue, because they can exist on the same page as user generated content lives.

    Now imagine a security flaw in the handling of user generated content that allows an attacker to inject code on that page. The attacker can now directly modify or otherwise read data from the login overlay.

    Placing the login and registration form on separate pages might not look „modern“, but is actually a good security practice because it isolates them from potentially malicious user generated content.

  • Alexander Ebert February 13, 2023 at 2:29 PM

    Added the Label Won’t be implemented
  • Hi

    additional information are available in this German post by Alexander:

    Alexander Ebert
    April 20, 2022 at 5:02 PM
  • I think this option should stay as an additional option that can be enabled in the panel.

    No, because this is a severe security risk.

    The consequences of the dialog in the context of a stored XSS are fatal. An attacker could easily steal your credentials this way without you even noticing, because everything happens in the context of the web page.

    I do understand the idea of placing the login dialog in an overlay for design reasons, but a gimmick feature is not worth compromising the security of the users’ accounts.

    It has a reason why all larger sites have moved away from in-place login views and instead placed them on dedicated pages with little to no visual fidelity. The login form is a security critical component and keeping them along with the regular page is a severe security risk.

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!