From 251314ceb89ed63c6fd7a84f76071d26432bf8da Mon Sep 17 00:00:00 2001
From: jvanbraekel <29703119+jvanbraekel@users.noreply.github.com>
Date: Wed, 24 Jul 2019 09:43:03 +0200
Subject: [PATCH] Only return get_vars after a failing login

Since the redirect is a GET action, there is no reason to return post vars from the failing attempt.
---
 gluon/tools.py | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/gluon/tools.py b/gluon/tools.py
index aefebbc5..e6421b88 100644
--- a/gluon/tools.py
+++ b/gluon/tools.py
@@ -2638,9 +2638,7 @@ class Auth(AuthAPI):
                         # invalid login
                         session.flash = specific_error if self.settings.login_specify_error else self.messages.invalid_login
                         callback(onfail, None)
-                        if 'password' in request.post_vars:
-                            del request.post_vars['password']
-                        redirect(self.url(args=request.args, vars=request.vars),client_side=settings.client_side)
+                        redirect(self.url(args=request.args, vars=request.get_vars),client_side=settings.client_side)
 
             else:  # use a central authentication server
                 cas = settings.login_form