diff --git a/cps/web.py b/cps/web.py
index d9c54016..67d22ec7 100755
--- a/cps/web.py
+++ b/cps/web.py
@@ -1354,21 +1354,21 @@ def login():
 @limiter.limit("3/minute", key_func=lambda: request.form.get('username', "").strip().lower())
 def login_post():
     form = request.form.to_dict()
+    username = form.get('username', "").strip().lower().replace("\n","\\n").replace("\r","")
     try:
         limiter.check()
     except RateLimitExceeded:
         flash(_(u"Please wait one minute before next login"), category="error")
-        return render_login(form.get("username", ""), form.get("password", ""))
+        return render_login(username, form.get("password", ""))
     if current_user is not None and current_user.is_authenticated:
         return redirect(url_for('web.index'))
     if config.config_login_type == constants.LOGIN_LDAP and not services.ldap:
         log.error(u"Cannot activate LDAP authentication")
         flash(_(u"Cannot activate LDAP authentication"), category="error")
-    user = ub.session.query(ub.User).filter(func.lower(ub.User.name) == form.get('username', "").strip().lower()) \
-        .first()
+    user = ub.session.query(ub.User).filter(func.lower(ub.User.name) == username).first()
     remember_me = bool(form.get('remember_me'))
     if config.config_login_type == constants.LOGIN_LDAP and services.ldap and user and form['password'] != "":
-        login_result, error = services.ldap.bind_user(form['username'], form['password'])
+        login_result, error = services.ldap.bind_user(username, form['password'])
         if login_result:
             log.debug(u"You are now logged in as: '{}'".format(user.name))
             return handle_login_user(user,
@@ -1388,7 +1388,7 @@ def login_post():
             flash(_(u"Could not login: %(message)s", message=error), category="error")
         else:
             ip_address = request.headers.get('X-Forwarded-For', request.remote_addr)
-            log.warning('LDAP Login failed for user "%s" IP-address: %s', form['username'], ip_address)
+            log.warning('LDAP Login failed for user "%s" IP-address: %s', username, ip_address)
             flash(_(u"Wrong Username or Password"), category="error")
     else:
         ip_address = request.headers.get('X-Forwarded-For', request.remote_addr)
@@ -1397,7 +1397,7 @@ def login_post():
                 ret, __ = reset_password(user.id)
                 if ret == 1:
                     flash(_(u"New Password was send to your email address"), category="info")
-                    log.info('Password reset for user "%s" IP-address: %s', form['username'], ip_address)
+                    log.info('Password reset for user "%s" IP-address: %s', username, ip_address)
                 else:
                     log.error(u"An unknown error occurred. Please try again later")
                     flash(_(u"An unknown error occurred. Please try again later."), category="error")
@@ -1413,9 +1413,9 @@ def login_post():
                                          _(u"You are now logged in as: '%(nickname)s'", nickname=user.name),
                                          "success")
             else:
-                log.warning('Login failed for user "{}" IP-address: {}'.format(form['username'], ip_address))
+                log.warning('Login failed for user "{}" IP-address: {}'.format(username, ip_address))
                 flash(_(u"Wrong Username or Password"), category="error")
-    return render_login(form.get("username", ""), form.get("password", ""))
+    return render_login(username, form.get("password", ""))
 
 
 @web.route('/logout')