Cookie value could still be shown after post, due to partial fix in commit
v2.5-1-g4c8b6c0ab0 (2018-04-20) [exclude cookie data from user name default].
<form action="" method="post">
<input id="login" name="login" placeholder="Gebruikersnaam" value="<?php
- if (isset($_POST['login'])) print htmlspecialchars($_REQUEST['login']);
+ if (isset($_POST['login'])) print htmlspecialchars($_POST['login']);
?>" />
<input id="pass" name="pass" type="password" value="" placeholder="Wachtwoord" />
<input type="submit" value="Log in" />