Race condition in login can cause credentials to be stored in browser history

[bca]

If you type in your credentials on the login-page, press enter to log in and click the login button fast enough then you get an aborted request in your browser that sits in the history with your login credentials ready to use if you go back through the browser history. The aborted request circumvents the redirect roundcube does to clear away the credentials.

[alec]

I don't understand this. Is this Roundcube or browser issue? What we can do? Doing this "double login" I've observed an issue (maybe different that yours). Messages list is empty after such login.

[bca]

Both...

That browsers store inputs of type=password is of course some of the problem, but depending on how much time roundcube uses from the POST to the browser gets the redirect back this is something that could happen a lot or never. First time I ran into it I did some testing with javascipt off and nothing happened when i pressed return (or at least so it seemd for a few seconds) so i clicked login. I gueess some of this can be prevented by ensuring the first POST returns the redirect as fast as possible, maybe doing the actual authentication later than in the first POST request, or maybe disabling the login-button once the form is submitted...

[alec]

I think [effdb3c0] should fix this.