diff --git a/inc/auth.php b/inc/auth.php
index 6abaa166fafeab32078b517a9ef7bb1c96723646..e938830ef29a7baee53b9abf09695bbc6222bfbe 100644
--- a/inc/auth.php
+++ b/inc/auth.php
@@ -95,9 +95,10 @@ function auth_setup() {
         $INPUT->set('http_credentials', true);
     }
 
-    // apply cleaning
+    // apply cleaning (auth specific user names, remove control chars)
     if (true === $auth->success) {
-        $INPUT->set('u', $auth->cleanUser($INPUT->str('u')));
+        $INPUT->set('u', $auth->cleanUser(stripctl($INPUT->str('u'))));
+        $INPUT->set('p', stripctl($INPUT->str('p')));
     }
 
     if($INPUT->str('authtok')) {
@@ -228,7 +229,7 @@ function auth_login($user, $pass, $sticky = false, $silent = false) {
 
     if(!empty($user)) {
         //usual login
-        if($auth->checkPass($user, $pass)) {
+        if(!empty($pass) && $auth->checkPass($user, $pass)) {
             // make logininfo globally available
             $INPUT->server->set('REMOTE_USER', $user);
             $secret                 = auth_cookiesalt(!$sticky, true); //bind non-sticky to session