Restricting Login Attempts
Ektron CMS400.NET has a login security feature that, by default, locks out a user after five unsuccessful attempts to log in by a user on one computer. This section explains the flexibility you have in controlling this feature.
You can control the following capabilities.
Changing the Number of Unsuccessful Login Attempts
Manually Locking a User from Signon
Disabling the Login Attempts Feature
Preventing CMS Users from Signing On
Preventing All Users from Signing On
Changing Images Used for Logging In and Out
Resolving Problem with Login Screen
You control login security feature by changing the value of the ek_loginAttempts element in the web.config file. The following table summarizes your options.
Warning! If you want your Ektron CMS400.NET eCommerce feature to comply with Payment Application Data Security Standard (PA DSS) certification, the ek_loginAttempts value must be between 1 and 6.
|
Value |
Description |
|
any number between 1 and 254 |
The number of unsuccessful login attempts after which the user is locked out. |
|
0 |
Lock out all users |
|
-1 |
Disable feature; unlock all locked users |
|
-2 |
Lock out CMS users only; membership users can still log in |
Changing the Number of Unsuccessful Login Attempts
By default, if a user unsuccessfully tries to log in five times, the following error message appears: The account is locked. Please contact your administrator. Afterwards, even if the user enters the correct password, he is locked out, and the error message reappears.
Note: You can change the text of the error message in the resource file. To learn about editing the resource file, see Procedure for Translating Workarea Strings.
To change the number of unsuccessful login attempts that occur prior to lockout, edit the value of the ek_loginAttempts element in the siteroot/web.config file. For example, to allow only three unsuccessful logins, change the value to 3. You cannot enter a value greater than 254.
Unlocking a Locked Account
Once an account is locked out, the Account Locked field is checked in the user settings.
To unlock the account, an administrator user (or a user assigned to the user-admin role) accesses the Edit User screen and unchecks the box. At this point, the user can attempt to sign in again.
Note: If you want to unlock all locked users at once, set the value of the ek_loginAttempts element in the web.config file to -1. For more information about the effects of this setting, see Disabling the Login Attempts Feature.
Manually Locking a User from Signon
You can use the Account Locked field (described above) to manually lock a user out of Ektron CMS400.NET. To do so, go to the Edit User screen, identify the user, and check the Account Locked field.
That user cannot sign in until either you uncheck the box or change the value of the ek_loginAttempts element in the web.config file to -1.
Disabling the Login Attempts Feature
To disable the Login Attempts feature, set the value of the ek_loginAttempts element in the web.config file to -1. If you do, any user can try to log in as many times as he wants. The error message never appears, and he is not prevented from entering a password.
Note: Setting the value of the ek_loginAttempts element in the web.config file to -1 automatically unlocks all locked accounts.
Preventing CMS Users from Signing On
If you want to lock all CMS users out, set the ek_loginAttempts element in the web.config file to -2. If you do, only membership users can sign in.
Note: The builtin user cannot sign in if ek_loginAttempts is set to -2.
Preventing All Users from Signing On
If you want to lock out all users (including membership users), set the ek_loginAttempts element in the web.config file to 0. If you do, no one can sign in to Ektron CMS400.NET until you change the value.
Note: The builtin user cannot sign in if ek_loginAttempts is set to 0.
Changing Images Used for Logging In and Out
You can change the images used for the login and logout buttons. To do so, follow these steps.
1. Move the new images to the following folder: webroot\your site’s root directory\Workarea\images\application.
2. Open the web.config file in your Web site’s root directory.
3. Change the images referenced in this section of the file:
<add key="ek_Image_1" value="btn_close.gif" />
<add key="ek_Image_2" value="btn_login.gif" />
<add key="ek_Image_3" value="btn_login_big.gif" />
Note: You must update the images and web.config each time your system is updated.
Resolving Problem with Login Screen
You may find that in certain browsers, the login screen occupies the entire browser window instead of just a small box (see illustration below).
Browsers such as Internet Explorer 8 and Firefox have a feature called tabs. When the login window pops up, it appears as a new tab as shown above.
You can change this behavior by turning off tabs within the browser.
