diff --git a/api.php b/api.php
index 02679e8..12658a6 100644
--- a/api.php
+++ b/api.php
@@ -43,10 +43,10 @@ switch ($VARS['action']) {
     case "auth":
         $errmsg = "";
         if (authenticate_user($VARS['username'], $VARS['password'], $errmsg)) {
-            insertAuthLog(12, null, "Username: " . $VARS['username'] . ", Key: " . getCensoredKey());
+            insertAuthLog(12, null, "Username: " . strtolower($VARS['username']) . ", Key: " . getCensoredKey());
             exit(json_encode(["status" => "OK", "msg" => lang("login successful", false)]));
         } else {
-            insertAuthLog(13, $uid, "Username: " . $VARS['username'] . ", Key: " . getCensoredKey());
+            insertAuthLog(13, $uid, "Username: " . strtolower($VARS['username']) . ", Key: " . getCensoredKey());
             if (!is_empty($errmsg)) {
                 exit(json_encode(["status" => "ERROR", "msg" => lang2("ldap error", ['error' => $errmsg], false)]));
             }
@@ -70,7 +70,7 @@ switch ($VARS['action']) {
     case "userinfo":
         if (!is_empty($VARS['username'])) {
             if (user_exists_local($VARS['username'])) {
-                $data = $database->select("accounts", ["uid", "username", "realname (name)", "email", "phone" => ["phone1 (1)", "phone2 (2)"]], ["username" => $VARS['username']])[0];
+                $data = $database->select("accounts", ["uid", "username", "realname (name)", "email", "phone" => ["phone1 (1)", "phone2 (2)"]], ["username" => strtolower($VARS['username'])])[0];
                 exit(json_encode(["status" => "OK", "data" => $data]));
             } else {
                 exit(json_encode(["status" => "ERROR", "msg" => lang("login incorrect", false)]));
@@ -112,7 +112,7 @@ switch ($VARS['action']) {
         if (verifyTOTP($VARS['username'], $VARS['code'])) {
             exit(json_encode(["status" => "OK", "valid" => true]));
         } else {
-            insertAuthLog(7, null, "Username: " . $VARS['username'] . ", Key: " . getCensoredKey());
+            insertAuthLog(7, null, "Username: " . strtolower($VARS['username']) . ", Key: " . getCensoredKey());
             exit(json_encode(["status" => "ERROR", "msg" => lang("2fa incorrect", false), "valid" => false]));
         }
         break;
@@ -123,30 +123,30 @@ switch ($VARS['action']) {
         // simulate a login, checking account status and alerts
         $errmsg = "";
         if (authenticate_user($VARS['username'], $VARS['password'], $errmsg)) {
-            $uid = $database->select('accounts', 'uid', ['username' => $VARS['username']])[0];
+            $uid = $database->select('accounts', 'uid', ['username' => strtolower($VARS['username'])])[0];
             switch (get_account_status($VARS['username'])) {
                 case "LOCKED_OR_DISABLED":
-                    insertAuthLog(5, $uid, "Username: " . $VARS['username'] . ", Key: " . getCensoredKey());
+                    insertAuthLog(5, $uid, "Username: " . strtolower($VARS['username']) . ", Key: " . getCensoredKey());
                     exit(json_encode(["status" => "ERROR", "msg" => lang("account locked", false)]));
                 case "TERMINATED":
-                    insertAuthLog(5, $uid, "Username: " . $VARS['username'] . ", Key: " . getCensoredKey());
+                    insertAuthLog(5, $uid, "Username: " . strtolower($VARS['username']) . ", Key: " . getCensoredKey());
                     exit(json_encode(["status" => "ERROR", "msg" => lang("account terminated", false)]));
                 case "CHANGE_PASSWORD":
-                    insertAuthLog(5, $uid, "Username: " . $VARS['username'] . ", Key: " . getCensoredKey());
+                    insertAuthLog(5, $uid, "Username: " . strtolower($VARS['username']) . ", Key: " . getCensoredKey());
                     exit(json_encode(["status" => "ERROR", "msg" => lang("password expired", false)]));
                 case "NORMAL":
-                    insertAuthLog(4, $uid, "Username: " . $VARS['username'] . ", Key: " . getCensoredKey());
+                    insertAuthLog(4, $uid, "Username: " . strtolower($VARS['username']) . ", Key: " . getCensoredKey());
                     exit(json_encode(["status" => "OK"]));
                 case "ALERT_ON_ACCESS":
                     sendLoginAlertEmail($VARS['username']);
-                    insertAuthLog(4, $uid, "Username: " . $VARS['username'] . ", Key: " . getCensoredKey());
+                    insertAuthLog(4, $uid, "Username: " . strtolower($VARS['username']) . ", Key: " . getCensoredKey());
                     exit(json_encode(["status" => "OK", "alert" => true]));
                 default:
-                    insertAuthLog(5, $uid, "Username: " . $VARS['username'] . ", Key: " . getCensoredKey());
+                    insertAuthLog(5, $uid, "Username: " . strtolower($VARS['username']) . ", Key: " . getCensoredKey());
                     exit(json_encode(["status" => "ERROR", "msg" => lang("account state error", false)]));
             }
         } else {
-            insertAuthLog(5, null, "Username: " . $VARS['username'] . ", Key: " . getCensoredKey());
+            insertAuthLog(5, null, "Username: " . strtolower($VARS['username']) . ", Key: " . getCensoredKey());
             if (!is_empty($errmsg)) {
                 exit(json_encode(["status" => "ERROR", "msg" => lang2("ldap error", ['error' => $errmsg], false)]));
             }
@@ -168,13 +168,13 @@ switch ($VARS['action']) {
         } else {
             if (user_exists_local($VARS['manager'])) {
                 if (user_exists_local($VARS['employee'])) {
-                    $managerid = $database->select('accounts', 'uid', ['username' => $VARS['manager']]);
-                    $employeeid = $database->select('accounts', 'uid', ['username' => $VARS['employee']]);
+                    $managerid = $database->select('accounts', 'uid', ['username' => strtolower($VARS['manager'])]);
+                    $employeeid = $database->select('accounts', 'uid', ['username' => strtolower($VARS['employee'])]);
                 } else {
-                    exit(json_encode(["status" => "ERROR", "msg" => lang("user does not exist", false), "user" => $VARS['employee']]));
+                    exit(json_encode(["status" => "ERROR", "msg" => lang("user does not exist", false), "user" => strtolower($VARS['employee'])]));
                 }
             } else {
-                exit(json_encode(["status" => "ERROR", "msg" => lang("user does not exist", false), "user" => $VARS['manager']]));
+                exit(json_encode(["status" => "ERROR", "msg" => lang("user does not exist", false), "user" => strtolower($VARS['manager'])]));
             }
         }
         if ($database->has('managers', ['AND' => ['managerid' => $managerid, 'employeeid' => $employeeid]])) {
@@ -191,8 +191,8 @@ switch ($VARS['action']) {
                 exit(json_encode(["status" => "ERROR", "msg" => lang("user does not exist", false)]));
             }
         } else if ($VARS['username']) {
-            if ($database->has("accounts", ['username' => $VARS['username']])) {
-                $managerid = $database->select('accounts', 'uid', ['username' => $VARS['username']]);
+            if ($database->has("accounts", ['username' => strtolower($VARS['username'])])) {
+                $managerid = $database->select('accounts', 'uid', ['username' => strtolower($VARS['username'])]);
             } else {
                 exit(json_encode(["status" => "ERROR", "msg" => lang("user does not exist", false)]));
             }
@@ -211,8 +211,8 @@ switch ($VARS['action']) {
                 exit(json_encode(["status" => "ERROR", "msg" => lang("user does not exist", false)]));
             }
         } else if ($VARS['username']) {
-            if ($database->has("accounts", ['username' => $VARS['username']])) {
-                $empid = $database->select('accounts', 'uid', ['username' => $VARS['username']]);
+            if ($database->has("accounts", ['username' => strtolower($VARS['username'])])) {
+                $empid = $database->select('accounts', 'uid', ['username' => strtolower($VARS['username'])]);
             } else {
                 exit(json_encode(["status" => "ERROR", "msg" => lang("user does not exist", false)]));
             }
@@ -243,7 +243,7 @@ switch ($VARS['action']) {
                 exit(json_encode(["status" => "ERROR", "msg" => lang("user does not exist", false)]));
             }
         } else if ($VARS['username']) {
-            if ($database->has("accounts", ['username' => $VARS['username']])) {
+            if ($database->has("accounts", ['username' => strtolower($VARS['username'])])) {
                 $user = $VARS['username'];
             } else {
                 exit(json_encode(["status" => "ERROR", "msg" => lang("user does not exist", false)]));
@@ -262,7 +262,8 @@ switch ($VARS['action']) {
             http_response_code(400);
             die("\"400 Bad Request\"");
         }
-        $user_key_valid = $database->has('mobile_codes', ['[>]accounts' => ['uid' => 'uid']], ["AND" => ['mobile_codes.code' => $VARS['code'], 'accounts.username' => $VARS['username']]]);
+        $code = strtoupper($VARS['code']);
+        $user_key_valid = $database->has('mobile_codes', ['[>]accounts' => ['uid' => 'uid']], ["AND" => ['mobile_codes.code' => $code, 'accounts.username' => strtolower($VARS['username'])]]);
         exit(json_encode(["status" => "OK", "valid" => $user_key_valid]));
     case "alertemail":
         engageRateLimit();
diff --git a/apps/inventory_link.php b/apps/inventory_link.php
index f8d33c4..df41d70 100644
--- a/apps/inventory_link.php
+++ b/apps/inventory_link.php
@@ -10,6 +10,6 @@ $APPS["inventory_link"]["i18n"] = TRUE;
 $APPS["inventory_link"]["title"] = "inventory";
 $APPS["inventory_link"]["icon"] = "cubes";
 $APPS["inventory_link"]["type"] = "teal";
-$content = "<p>" . lang("open inventory system", false) . '</p><a href="' . INVENTORY_HOME . '" class="btn btn-primary btn-block">' . lang("open app", false) . ' &nbsp;<i class="fa fa-external-link-square"></i></a>';
+$content = "<p class='mobile-app-hide'>" . lang("open inventory system", false) . '</p><a href="' . INVENTORY_HOME . '" class="btn btn-primary btn-block mobile-app-hide">' . lang("open app", false) . ' &nbsp;<i class="fa fa-external-link-square"></i></a>';
 $APPS["inventory_link"]["content"] = $content;
 ?>
\ No newline at end of file
diff --git a/apps/qwikclock_inout.php b/apps/qwikclock_inout.php
index 14b6363..5458891 100644
--- a/apps/qwikclock_inout.php
+++ b/apps/qwikclock_inout.php
@@ -38,6 +38,6 @@ $content .= <<<END
                 <a href="home.php?&qwikclock=punchin" class="btn btn-block btn-success btn-lg"><i class="fa fa-play"></i> $lang_punchin</a>
                 <a href="home.php?qwikclock=punchout" class="btn btn-block btn-danger btn-lg"><i class="fa fa-stop"></i> $lang_punchout</a>        
 END;
-$content .= '<br /><a href="' . QWIKCLOCK_HOME . '" class="btn btn-primary btn-block">' . lang("open app", false) . ' &nbsp;<i class="fa fa-external-link-square"></i></a>';
+$content .= '<br /><a href="' . QWIKCLOCK_HOME . '" class="btn btn-primary btn-block mobile-app-hide">' . lang("open app", false) . ' &nbsp;<i class="fa fa-external-link-square"></i></a>';
 $APPS["qwikclock_inout"]["content"] = $content;
 ?>
\ No newline at end of file
diff --git a/apps/sync_mobile.php b/apps/sync_mobile.php
index 8bea14a..549656a 100644
--- a/apps/sync_mobile.php
+++ b/apps/sync_mobile.php
@@ -31,8 +31,9 @@ if ($_GET['mobilecode'] == "generate") {
         $code = strtoupper(substr(md5(mt_rand() . uniqid("", true)), 0, 20));
         $database->insert('mobile_codes', ['uid' => $_SESSION['uid'], 'code' => $code]);
     }
-    $url = str_replace("/", "\\", URL . "mobile/index.php");
-    $codeuri = "bizsync://" . $url . "/" . $_SESSION['username'] . "/" . $code;
+    $url = URL . "mobile/index.php";
+    $encodedurl = str_replace("/", "\\", $url);
+    $codeuri = "bizsync://" . $encodedurl . "/" . $_SESSION['username'] . "/" . $code;
     $qrCode = new QrCode($codeuri);
     $qrCode->setSize(200);
     $qrCode->setErrorCorrection("H");
@@ -42,6 +43,7 @@ if ($_GET['mobilecode'] == "generate") {
     $APPS["sync_mobile"]["content"] = '<div class="alert alert-info"><i class="fa fa-info-circle"></i> ' . lang("scan sync qrcode", false) . '</div>' . <<<END
 <img src="$qrcode" class="img-responsive qrcode" />
 <div class="well well-sm" style="text-align: center; font-size: 110%; font-family: monospace;">$chunk_code</div>
+<div class="well well-sm" style="text-align: center; font-size: 110%; font-family: monospace;">$url</div>
 <a class="btn btn-success btn-sm btn-block" href="home.php?page=security">$lang_done</a>
 END;
 } else {
diff --git a/apps/taskfloor_messages.php b/apps/taskfloor_messages.php
index 0767a54..d2706b4 100644
--- a/apps/taskfloor_messages.php
+++ b/apps/taskfloor_messages.php
@@ -49,6 +49,6 @@ END;
 } catch (Exception $e) {
     $content = "<div class=\"alert alert-danger\">" . lang("error loading widget", false) . "  " . $e->getMessage() . "</div>";
 }
-$content .= '<a href="' . TASKFLOOR_HOME . '" class="btn btn-primary btn-block">' . lang("open app", false) . ' &nbsp;<i class="fa fa-external-link-square"></i></a>';
+$content .= '<a href="' . TASKFLOOR_HOME . '" class="btn btn-primary btn-block mobile-app-hide">' . lang("open app", false) . ' &nbsp;<i class="fa fa-external-link-square"></i></a>';
 $APPS["taskfloor_messages"]["content"] = $content;
 ?>
\ No newline at end of file
diff --git a/apps/taskfloor_tasks.php b/apps/taskfloor_tasks.php
index a264aee..d9746e2 100644
--- a/apps/taskfloor_tasks.php
+++ b/apps/taskfloor_tasks.php
@@ -37,6 +37,6 @@ try {
 } catch (Exception $e) {
     $content = "<div class=\"alert alert-danger\">" . lang("error loading widget", false) . "  " . $e->getMessage() . "</div>";
 }
-$content .= '<a href="' . TASKFLOOR_HOME . '" class="btn btn-primary btn-block">' . lang("open app", false) . ' &nbsp;<i class="fa fa-external-link-square"></i></a>';
+$content .= '<a href="' . TASKFLOOR_HOME . '" class="btn btn-primary btn-block mobile-app-hide">' . lang("open app", false) . ' &nbsp;<i class="fa fa-external-link-square"></i></a>';
 $APPS["taskfloor_tasks"]["content"] = $content;
 ?>
\ No newline at end of file
diff --git a/home.php b/home.php
index 9d1e7c9..6abd49a 100644
--- a/home.php
+++ b/home.php
@@ -83,7 +83,7 @@ if (!is_empty($_GET['page'])) {
                                 <ul class="dropdown-menu" role="menu">
                                     <li><a href="home.php?page=security"><i class="fa fa-gears fa-fw"></i> <?php lang("options") ?></a></li>
                                     <li class="divider"></li>
-                                    <li><a href="action.php?action=signout"><i class="fa fa-sign-out fa-fw"></i> <?php lang("sign out") ?></a></li>
+                                    <li class="mobile-app-hide"><a href="action.php?action=signout"><i class="fa fa-sign-out fa-fw"></i> <?php lang("sign out") ?></a></li>
                                 </ul>
                             </li>
                         </ul>
@@ -91,7 +91,7 @@ if (!is_empty($_GET['page'])) {
                 </div>
             </nav>
 
-            <div class="app-dock-container">
+            <div class="app-dock-container mobile-app-hide">
                 <div class="app-dock">
                     <?php
                     foreach (EXTERNAL_APPS as $a) {
diff --git a/index.php b/index.php
index 6980a83..8856b7a 100644
--- a/index.php
+++ b/index.php
@@ -190,8 +190,8 @@ if ($VARS['progress'] == "1") {
 
                                 if (!$multiauth && !$change_password) {
                                     ?>
-                                    <input type="text" class="form-control" name="username" placeholder="<?php lang("username"); ?>" required="required" autofocus /><br />
-                                    <input type="password" class="form-control" name="password" placeholder="<?php lang("password"); ?>" required="required" /><br />
+                                    <input type="text" class="form-control" name="username" placeholder="<?php lang("username"); ?>" required="required" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" autofocus /><br />
+                                    <input type="password" class="form-control" name="password" placeholder="<?php lang("password"); ?>" required="required" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" /><br />
                                     <?php if (RECAPTCHA_ENABLED) { ?>
                                         <div class="g-recaptcha" data-sitekey="<?php echo RECAPTCHA_SITE_KEY; ?>"></div>
                                         <br />
@@ -203,15 +203,15 @@ if ($VARS['progress'] == "1") {
                                     <div class="alert alert-info">
                                         <?php lang("2fa prompt"); ?>
                                     </div>
-                                    <input type="text" class="form-control" name="authcode" placeholder="<?php lang("authcode"); ?>" required="required" autocomplete="off" autofocus /><br />
+                                    <input type="text" class="form-control" name="authcode" placeholder="<?php lang("authcode"); ?>" required="required" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" autofocus /><br />
                                     <input type="hidden" name="progress" value="2" />
                                     <input type="hidden" name="username" value="<?php echo $VARS['username']; ?>" />
                                     <?php
                                 } else if ($change_password) {
                                     ?>
-                                    <input type="password" class="form-control" name="oldpass" placeholder="Current password" required="required" autocomplete="new-password" autofocus /><br />
-                                    <input type="password" class="form-control" name="newpass" placeholder="New password" required="required" autocomplete="off" /><br />
-                                    <input type="password" class="form-control" name="conpass" placeholder="New password (again)" required="required" autocomplete="off" /><br />
+                                    <input type="password" class="form-control" name="oldpass" placeholder="Current password" required="required" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" autofocus /><br />
+                                    <input type="password" class="form-control" name="newpass" placeholder="New password" required="required" autocomplete="new-password" autocorrect="off" autocapitalize="off" spellcheck="false" /><br />
+                                    <input type="password" class="form-control" name="conpass" placeholder="New password (again)" required="required" autocomplete="new-password" autocorrect="off" autocapitalize="off" spellcheck="false" /><br />
                                     <input type="hidden" name="progress" value="chpasswd" />
                                     <?php
                                 }
diff --git a/lib/login.php b/lib/login.php
index e052878..f27fa83 100644
--- a/lib/login.php
+++ b/lib/login.php
@@ -190,7 +190,7 @@ function authenticate_user($username, $password, &$errormsg, &$errorcode) {
 }
 
 function user_exists($username) {
-    return account_location($username) !== "NONE";
+    return account_location(strtolower($username)) !== "NONE";
 }
 
 /**
@@ -285,12 +285,14 @@ function doLoginUser($username, $password) {
  */
 function sendLoginAlertEmail($username, $appname = SITE_TITLE) {
     if (is_empty(ADMIN_EMAIL) || filter_var(ADMIN_EMAIL, FILTER_VALIDATE_EMAIL) === FALSE) {
-        return "false";
+        return "invalid_to_email";
     }
     if (is_empty(FROM_EMAIL) || filter_var(FROM_EMAIL, FILTER_VALIDATE_EMAIL) === FALSE) {
-        return "false";
+        return "invalid_from_email";
     }
 
+    $username = strtolower($username);
+    
     $mail = new PHPMailer;
 
     if (DEBUG) {
diff --git a/mobile/index.php b/mobile/index.php
index 0615607..2918603 100644
--- a/mobile/index.php
+++ b/mobile/index.php
@@ -26,12 +26,15 @@ if (is_empty($VARS['username']) || is_empty($VARS['key'])) {
     die(json_encode(["status" => "ERROR", "msg" => "Missing username and/or access key."]));
 }
 
+$username = strtolower($VARS['username']);
+$key = strtoupper($VARS['key']);
+
 // Make sure the username and key are actually legit
-$user_key_valid = $database->has('mobile_codes', ['[>]accounts' => ['uid' => 'uid']], ["AND" => ['mobile_codes.code' => $VARS['key'], 'accounts.username' => $VARS['username']]]);
+$user_key_valid = $database->has('mobile_codes', ['[>]accounts' => ['uid' => 'uid']], ["AND" => ['mobile_codes.code' => $key, 'accounts.username' => $username]]);
 if ($user_key_valid !== TRUE) {
     engageRateLimit();
     http_response_code(401);
-    insertAuthLog(21, null, "Username: " . $VARS['username'] . ", Key: " . $VARS['key']);
+    insertAuthLog(21, null, "Username: " . $username . ", Key: " . $key);
     die(json_encode(["status" => "ERROR", "msg" => "Invalid username and/or access key."]));
 }
 
@@ -44,53 +47,54 @@ switch ($VARS['action']) {
     case "check_password":
         // Check if the user-supplied password is valid.
         engageRateLimit();
-        if (get_account_status($VARS['username']) != "NORMAL") {
-            insertAuthLog(20, null, "Username: " . $VARS['username'] . ", Key: " . $VARS['key']);
+        if (get_account_status($username) != "NORMAL") {
+            insertAuthLog(20, null, "Username: " . $username . ", Key: " . $key);
             exit(json_encode(["status" => "ERROR", "msg" => lang("login failed try on web", false)]));
         }
-        if (authenticate_user($VARS['username'], $VARS['password'], $autherror)) {
-            $uid = $database->get("accounts", "uid", ["username" => $VARS['username']]);
-            insertAuthLog(19, $uid, "Key: " . $VARS['key']);
+        if (authenticate_user($username, $VARS['password'], $autherror)) {
+            $uid = $database->get("accounts", "uid", ["username" => $username]);
+            insertAuthLog(19, $uid, "Key: " . $key);
             exit(json_encode(["status" => "OK", "uid" => $uid]));
         } else {
             if (!is_empty($autherror)) {
-                insertAuthLog(20, null, "Username: " . $VARS['username'] . ", Key: " . $VARS['key']);
+                insertAuthLog(20, null, "Username: " . $username . ", Key: " . $key);
                 exit(json_encode(["status" => "ERROR", "msg" => $autherror]));
             } else {
-                insertAuthLog(20, null, "Username: " . $VARS['username'] . ", Key: " . $VARS['key']);
+                insertAuthLog(20, null, "Username: " . $username . ", Key: " . $key);
                 exit(json_encode(["status" => "ERROR", "msg" => lang("login incorrect", false)]));
             }
         }
     case "user_info":
         engageRateLimit();
-        if (get_account_status($VARS['username']) != "NORMAL") {
-            insertAuthLog(20, null, "Username: " . $VARS['username'] . ", Key: " . $VARS['key']);
+        if (get_account_status($username) != "NORMAL") {
+            insertAuthLog(20, null, "Username: " . $username . ", Key: " . $key);
             exit(json_encode(["status" => "ERROR", "msg" => lang("login failed try on web", false)]));
         }
-        if (authenticate_user($VARS['username'], $VARS['password'], $autherror)) {
-            $userinfo = $database->get("accounts", ["uid", "username", "realname", "email"], ["username" => $VARS['username']]);
-            insertAuthLog(19, $userinfo['uid'], "Key: " . $VARS['key']);
+        if (authenticate_user($username, $VARS['password'], $autherror)) {
+            $userinfo = $database->get("accounts", ["uid", "username", "realname", "email"], ["username" => $username]);
+            insertAuthLog(19, $userinfo['uid'], "Key: " . $key);
             exit(json_encode(["status" => "OK", "info" => $userinfo]));
         } else {
             if (!is_empty($autherror)) {
-                insertAuthLog(20, null, "Username: " . $VARS['username'] . ", Key: " . $VARS['key']);
+                insertAuthLog(20, null, "Username: " . $username . ", Key: " . $key);
                 exit(json_encode(["status" => "ERROR", "msg" => $autherror]));
             } else {
-                insertAuthLog(20, null, "Username: " . $VARS['username'] . ", Key: " . $VARS['key']);
+                insertAuthLog(20, null, "Username: " . $username . ", Key: " . $key);
                 exit(json_encode(["status" => "ERROR", "msg" => lang("login incorrect", false)]));
             }
         }
     case "start_session":
         // Do a web login.
         engageRateLimit();
-        if (user_exists($VARS['username'])) {
-            if (get_account_status($VARS['username']) == "NORMAL") {
-                if (authenticate_user($VARS['username'], $VARS['password'], $autherror)) {
-                    doLoginUser($VARS['username'], $VARS['password']);
+        if (user_exists($username)) {
+            if (get_account_status($username) == "NORMAL") {
+                if (authenticate_user($username, $VARS['password'], $autherror)) {
+                    doLoginUser($username, $VARS['password']);
                     exit(json_encode(["status" => "OK"]));
                 }
             }
         }
+        insertAuthLog(20, null, "Username: " . $username . ", Key: " . $key);
         exit(json_encode(["status" => "ERROR", "msg" => lang("login incorrect", false)]));
     case "listapps":
         exit(json_encode(["status" => "OK", "apps" => EXTERNAL_APPS]));