diff --git a/object/check.go b/object/check.go
index 59ab2b24..63e94793 100644
--- a/object/check.go
+++ b/object/check.go
@@ -67,7 +67,7 @@ func checkPassword(user *User, password string) string {
 			return "password incorrect"
 		}
 	} else if organization.PasswordType == "salt" {
-		if getSaltedPassword(password, organization.PasswordSalt) == user.Password {
+		if password == user.Password || getSaltedPassword(password, organization.PasswordSalt) == user.Password {
 			return ""
 		} else {
 			return "password incorrect"
diff --git a/routers/auto_login_filter.go b/routers/auto_login_filter.go
index d2026dc5..2b005c7c 100644
--- a/routers/auto_login_filter.go
+++ b/routers/auto_login_filter.go
@@ -16,6 +16,7 @@ package routers
 
 import (
 	"fmt"
+	"net/url"
 
 	"github.com/astaxie/beego/context"
 	"github.com/casdoor/casdoor/controllers"
@@ -53,23 +54,42 @@ func returnRequest(ctx *context.Context, msg string) {
 }
 
 func AutoLoginFilter(ctx *context.Context) {
-	query := ctx.Request.URL.RawQuery
-	// query == "?access_token=123"
-	accessToken := parseQuery(query, "accessToken")
-	if accessToken == "" {
-		return
-	}
-
 	if getSessionUser(ctx) != "" {
 		return
 	}
 
-	claims, err := object.ParseJwtToken(accessToken)
+	query := ctx.Request.URL.RawQuery
+	queryMap, err := url.ParseQuery(query)
 	if err != nil {
-		returnRequest(ctx, "Invalid JWT token")
+		panic(err)
+	}
+
+	// "/page?access_token=123"
+	accessToken := queryMap.Get("accessToken")
+	if accessToken != "" {
+		claims, err := object.ParseJwtToken(accessToken)
+		if err != nil {
+			returnRequest(ctx, "Invalid JWT token")
+			return
+		}
+
+		userId := fmt.Sprintf("%s/%s", claims.Organization, claims.Username)
+		setSessionUser(ctx, userId)
 		return
 	}
 
-	userId := fmt.Sprintf("%s/%s", claims.Organization, claims.Username)
-	setSessionUser(ctx, userId)
+	// "/page?username=abc&password=123"
+	userId := queryMap.Get("username")
+	password := queryMap.Get("password")
+	if userId != "" && password != "" {
+		owner, name := util.GetOwnerAndNameFromId(userId)
+		_, msg := object.CheckUserLogin(owner, name, password)
+		if msg != "" {
+			returnRequest(ctx, msg)
+			return
+		}
+
+		setSessionUser(ctx, userId)
+		return
+	}
 }
diff --git a/routers/util.go b/routers/util.go
index 9fb79a34..c4ea3644 100644
--- a/routers/util.go
+++ b/routers/util.go
@@ -20,12 +20,12 @@ import (
 )
 
 func parseQuery(query string, key string) string {
-	valueMap, err := url.ParseQuery(query)
+	queryMap, err := url.ParseQuery(query)
 	if err != nil {
 		panic(err)
 	}
 
-	return valueMap.Get(key)
+	return queryMap.Get(key)
 }
 
 func parseSlash(s string) (string, string) {
diff --git a/web/src/App.js b/web/src/App.js
index 7fdd043f..f5304c87 100644
--- a/web/src/App.js
+++ b/web/src/App.js
@@ -109,7 +109,17 @@ class App extends Component {
   getAccessTokenParam() {
     // "/page?access_token=123"
     const params = new URLSearchParams(this.props.location.search);
-    return params.get("access_token");
+    const accessToken = params.get("access_token");
+    return accessToken === null ? "" : `?accessToken=${accessToken}`;
+  }
+
+  getCredentialParams() {
+    // "/page?username=abc&password=123"
+    const params = new URLSearchParams(this.props.location.search);
+    if (params.get("username") === null || params.get("password") === null) {
+      return "";
+    }
+    return `?username=${params.get("username")}&password=${params.get("password")}`;
   }
 
   getUrlWithoutQuery() {
@@ -118,18 +128,21 @@ class App extends Component {
   }
 
   getAccount() {
-    const accessToken = this.getAccessTokenParam();
-    if (accessToken !== null) {
+    let query = this.getAccessTokenParam();
+    if (query === "") {
+      query = this.getCredentialParams();
+    }
+    if (query !== "") {
       window.history.replaceState({}, document.title, this.getUrlWithoutQuery());
     }
-    AuthBackend.getAccount(accessToken)
+    AuthBackend.getAccount(query)
       .then((res) => {
         let account = null;
         if (res.status === "ok") {
           account = res.data;
           account.organization = res.data2;
         } else {
-          if (res.msg === "Invalid JWT token") {
+          if (res.msg !== "Please sign in first") {
             Setting.showMessage("error", `Failed to sign in: ${res.msg}`);
           }
         }
diff --git a/web/src/auth/AuthBackend.js b/web/src/auth/AuthBackend.js
index a4a846d7..9497df3b 100644
--- a/web/src/auth/AuthBackend.js
+++ b/web/src/auth/AuthBackend.js
@@ -14,9 +14,8 @@
 
 import {authConfig} from "./Auth";
 
-export function getAccount(accessToken) {
-  let param = (accessToken === null) ? "" : `?accessToken=${accessToken}`;
-  return fetch(`${authConfig.serverUrl}/api/get-account${param}`, {
+export function getAccount(query) {
+  return fetch(`${authConfig.serverUrl}/api/get-account${query}`, {
     method: 'GET',
     credentials: 'include'
   }).then(res => res.json());
diff --git a/web/src/backend/UserBackend.js b/web/src/backend/UserBackend.js
index f0b159f6..5860df5d 100644
--- a/web/src/backend/UserBackend.js
+++ b/web/src/backend/UserBackend.js
@@ -65,7 +65,7 @@ export function deleteUser(user) {
 
 export function uploadAvatar(avatar) {
   let account;
-  AuthBackend.getAccount(null).then((res) => {
+  AuthBackend.getAccount("").then((res) => {
     account = res.data;
     let formData = new FormData();
     formData.append("avatarfile", avatar);