Modernization of the login and registration method.

1st Official Post
    • Official Post

    Hello,

    We originally had the login form placed inside a dialog overlay and have finally removed it in version 5.5. The reason is that those login overlays are a potential security issue, because they can exist on the same page as user generated content lives.

    Now imagine a security flaw in the handling of user generated content that allows an attacker to inject code on that page. The attacker can now directly modify or otherwise read data from the login overlay.

    Placing the login and registration form on separate pages might not look „modern“, but is actually a good security practice because it isolates them from potentially malicious user generated content.

  • Alexander Ebert February 13, 2023 at 2:29 PM

    Added the Label Won’t be implemented
    • Official Post

    Hi

    additional information are available in this German post by Alexander:

    Post

    RE: "Anmelden oder registrieren" leitet weiter

    Ja, gerne. Ich bin aktuell mit den Arbeiten an den Korrekturen beschäftigt und war daher leider etwas „zu kurz angebunden“, ich bitte um Verzeihung.

    Grundsätzlich bietet der Login-Dialog abseits der Gewohnheit keine wirklichen Vorteile, im Gegenteil leidet dieser in Folge zusätzlicher Optionen immer stärker unter einer reduzierten Übersicht. Insbesondere die Integration individueller Lösungen ist aufwändiger, weil dieselbe Logik sowohl im Dialog als auch auf der dedizierten Seite…
    Alexander Ebert
    April 20, 2022 at 5:02 PM
    • Official Post
    Quote from Grafidea

    I think this option should stay as an additional option that can be enabled in the panel.

    No, because this is a severe security risk.

    The consequences of the dialog in the context of a stored XSS are fatal. An attacker could easily steal your credentials this way without you even noticing, because everything happens in the context of the web page.

    I do understand the idea of placing the login dialog in an overlay for design reasons, but a gimmick feature is not worth compromising the security of the users’ accounts.

    It has a reason why all larger sites have moved away from in-place login views and instead placed them on dedicated pages with little to no visual fidelity. The login form is a security critical component and keeping them along with the regular page is a severe security risk.

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!

Register Yourself Login