In core/plugins/Login/Controller.php there is a function called logme() - it allow a user to do a formless login. I found that the following code is completely unnecessary:
$authenticated = $this->authenticateAndRedirect($login, $password, $urlToRedirect);
if($authenticated === false)
{
echo Piwik_Translate('Login_LoginPasswordNotCorrect');
}
If the login is successful "authenticateAndRedirect" just redirects to $_REQUEST['url'] and exits. Otherwise the authenticate method prints an error to the user. authenticateAndRedirect does never return (it actually does not return anything at all), and even if it would $authenticate would be NULL.
logme as function name is not very descriptive. I can't think of a better name right now, but it should be changed.
Another thought: Shouldn't logme() use tokenAuth to authenticate a user instead of the md5 hashed password? The password hash is definitely better to brute-force than the tokenAuth.
I agree with removing the unreachable if{} block.
It's debateable whether switching to token_auth is more/less secure overall, but I agree it might be better against a dictionary attack. It's a compat buster, so I'll defer to Matthieu.
(In [2258]) fixes #1402 - remove unreachable if{} block; switching to token_auth is a wontfix as token_auth is intended for the API; logme() is a formless login which mirrors the form login, i.e., piwik_auth cookie and server-side session