I am in the process of configuring my piwik installation to work with Cloudflare so I have set a client-ip configuration. Currently this is missing something so that the form security check of the login form fails.
I once accidentally used the wrong user when checking the login and that gave an error user or password incorrect and not form security failed, which means that the user/pw check comes first and then the security check for the form, which is not good since this will enable attackers to do brute force attempts even though they cannot get through the security check of the form. It would be better to first do the general form check and then the user/pw check to disclose less information.
If I disable cookies (making the form submission fail) then I always see the security check message. Even when typing proper username i get the security check message. If it's really a bug, please explain exactly how to reproduce.
Turns out the conditions when this happens are more complicated than I thought.
When deleting the session cookie, the form security fails when either an existing or non-existing username is used.
When changing the last char of the session cookie value with e.g. cookie manager+, form security fails for existing users with either correct or incorrect password, but the login displays the user/password wrong message for nonexistent users.
However when I choose a completely wrong session-id like all 0s, form security always fails.
I didn't look at the source, but it seems that the sequence in which the conditions are checked is not completely right.