diff --git a/src/Controller/SecurityController.php b/src/Controller/SecurityController.php
index ad4d272f..93336bf9 100644
--- a/src/Controller/SecurityController.php
+++ b/src/Controller/SecurityController.php
@@ -25,6 +25,7 @@ namespace App\Controller;
 use App\Entity\UserSystem\User;
 use App\Events\SecurityEvent;
 use App\Events\SecurityEvents;
+use App\Form\Security\LoginFormType;
 use App\Services\UserSystem\PasswordResetManager;
 use Doctrine\ORM\EntityManagerInterface;
 use Gregwar\CaptchaBundle\Type\CaptchaType;
@@ -61,7 +62,12 @@ class SecurityController extends AbstractController
         // last username entered by the user
         $lastUsername = $authenticationUtils->getLastUsername();
 
+        $form = $this->createForm(LoginFormType::class, [
+            '_username' => $lastUsername,
+        ]);
+
         return $this->render('security/login.html.twig', [
+            'form' => $form,
             'last_username' => $lastUsername,
             'error' => $error,
         ]);
diff --git a/src/Form/Security/LoginFormType.php b/src/Form/Security/LoginFormType.php
new file mode 100644
index 00000000..184f68ac
--- /dev/null
+++ b/src/Form/Security/LoginFormType.php
@@ -0,0 +1,83 @@
+<?php
+/*
+ * This file is part of Part-DB (https://github.com/Part-DB/Part-DB-symfony).
+ *
+ *  Copyright (C) 2019 - 2026 Jan Böhmer (https://github.com/jbtronics)
+ *
+ *  This program is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU Affero General Public License as published
+ *  by the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU Affero General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Affero General Public License
+ *  along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+declare(strict_types=1);
+
+
+namespace App\Form\Security;
+
+use Symfony\Component\Form\AbstractType;
+use Symfony\Component\Form\Extension\Core\Type\CheckboxType;
+use Symfony\Component\Form\Extension\Core\Type\PasswordType;
+use Symfony\Component\Form\Extension\Core\Type\TextType;
+use Symfony\Component\OptionsResolver\OptionsResolver;
+
+use function Symfony\Component\Translation\t;
+
+class LoginFormType extends AbstractType
+{
+    public function buildForm(\Symfony\Component\Form\FormBuilderInterface $builder, array $options): void
+    {
+        $builder
+            ->add('_username', TextType::class, [
+                'label' => t('login.username.label'),
+                'attr' => [
+                    'autofocus' => 'autofocus',
+                    'autocomplete' => 'username',
+                    'placeholder' => t('login.username.placeholder'),
+                ]
+            ])
+            ->add('_password', PasswordType::class, [
+                'label' => t('login.password.label'),
+                'attr' => [
+                    'autocomplete' => 'current-password',
+                    'placeholder' => t('login.password.placeholder'),
+                ]
+            ])
+            ->add('_remember_me', CheckboxType::class, [
+                'label' => t('login.rememberme'),
+                'required' => false,
+            ])
+            ->add('submit', \Symfony\Component\Form\Extension\Core\Type\SubmitType::class, [
+                'label' => t('login.btn'),
+            ])
+        ;
+    }
+
+    public function configureOptions(OptionsResolver $resolver): void
+    {
+        $resolver->setDefaults([
+            // This ensures CSRF protection is active for the login
+            'csrf_protection' => true,
+            'csrf_field_name' => '_csrf_token',
+            'csrf_token_id'   => 'authenticate',
+            'attr' => [
+                'data-turbo' => 'false', // Disable Turbo for the login form to ensure proper redirection after login
+            ]
+        ]);
+    }
+
+    public function getBlockPrefix(): string
+    {
+        // This removes the "login_form_" prefix from field names
+        // so that Security can find "_username" directly.
+        return '';
+    }
+}
diff --git a/templates/security/login.html.twig b/templates/security/login.html.twig
index b8a0df1d..c09b3669 100644
--- a/templates/security/login.html.twig
+++ b/templates/security/login.html.twig
@@ -20,53 +20,23 @@
 {% endblock %}
 
 {% block card_content %}
-    <form action="{{ path('login') }}" method="post" data-turbo="false" class="form-horizontal">
 
-        <input type="hidden" name="_csrf_token" data-controller="csrf-protection" value="{{ csrf_token('authenticate') }}">
+    {% if saml_enabled %}
+        <div class="col-md-9 offset-md-3 col-lg-10 offset-lg-2">
+            <a class="btn btn-secondary" href="{{ path('saml_login') }}"><i class="fa-solid fa-house-user"></i> {% trans %}login.sso_saml_login{% endtrans %}</a>
 
-        <input type="hidden" name="_target_path" value="{{ app.request.query.get('_target_path') }}" />
-
-        {% if saml_enabled %}
-            <div class="col-md-9 offset-md-3 col-lg-10 offset-lg-2">
-                <a class="btn btn-secondary" href="{{ path('saml_login') }}"><i class="fa-solid fa-house-user"></i> {% trans %}login.sso_saml_login{% endtrans %}</a>
-
-                <p class="text-muted">{% trans %}login.local_login_hint{% endtrans %}</p>
-            </div>
-
-        {% endif %}
-
-        <div class="form-group row">
-            <label class="col-form-label col-md-3 col-lg-2">{% trans %}login.username.label{% endtrans %}</label>
-            <div class="col-md-9 col-lg-10">
-                <input type="text" class="form-control"  name="_username" value="{{ last_username }}"
-                       placeholder="{% trans %}login.username.placeholder{% endtrans %}"  autocomplete="username">
-            </div>
-        </div>
-        <div class="form-group row">
-            <label class="col-form-label col-md-3 col-lg-2">{% trans %}login.password.label{% endtrans %}</label>
-            <div class="col-md-9 col-lg-10">
-                <input type="password" class="form-control" placeholder="{% trans %}login.password.placeholder{% endtrans %}" name="_password"
-                       autocomplete="current-password">
-            </div>
+            <p class="text-muted">{% trans %}login.local_login_hint{% endtrans %}</p>
         </div>
+    {% endif %}
 
-        <div class="form-group row">
-            <div class="col-md-9 offset-md-3 col-lg-10 offset-lg-2">
-                <div class="custom-control custom-checkbox custom-control-inline">
-                    <input class="form-check-input" name="_remember_me" id="remember_me" type="checkbox">
-                    <label class="form-check-label" for="remember_me">
-                        {% trans %}login.rememberme{% endtrans %}
-                    </label>
-                </div>
-            </div>
-        </div>
+    {{ form_start(form) }}
 
-        <div class="form-group row  mt-3">
-            <div class="col-md-9 offset-md-3 col-lg-10 offset-lg-2">
-                <button type="submit" class="btn btn-primary">{% trans %}login.btn{% endtrans %}</button>
-            </div>
-        </div>
-    </form>
+    {{ form_row(form._username) }}
+    {{ form_row(form._password) }}
+    {{ form_row(form._remember_me) }}
+    {{ form_row(form.submit) }}
+
+    {{ form_end(form) }}
 
     {% if allow_email_pw_reset %}
         <a class="offset-sm-2" href="{{ path('pw_reset_request') }}">{% trans %}pw_reset.password_forget{% endtrans %}</a>