Details
Description
When you fail to login to the CMS you don't get the correct http response code as result. This makes it more difficult to react to failed logins with web-application-firewall (waf).
I've tested this with 13.4.1-1
Reproduction path:
- Run a project locally
- Go to the CMS login page
- Observe network traffic in browser dev tools
- Enter wrong credentials
Expectected behaviour:
- get a 401 (Unauthorized) response code
Actual result
- get a 302 (Found), forwarding to "Location: ./?0"
- get a number of 200 response codes