Contents
1. Introduction
1.1 Features
1.2 Assumptions
1.3 Password requirements
2. Logging in and out
2.1 Logging in
2.2 Logging out
3. Forgotten your password?
4. Error messages
4.1 Wrong user name or password
4.2 Too many login attempts
4.3 Auto logout
4.4 Access denied
4.5 One time code error
5. Concluding remarks
This chapter describes the
log in and log out procedure, password requirements and how to renew your
password when yoy do not remember it anymore. This last procedure is rather
well secured, thus complicated, because the process is accessible via the
World Wide Web. You do not want someone to tamper with your valuable
password. Furthermore some log in error messages are discussed.
+ NOTICE:
Believe us, remembering your password, or humbly asking a new one from the
webmaster, is much easier than the password refresh procedure.
The password facility has
the following features, in no specific order:
- Strong password requirements: Please see paragraph
1.3 Password requirements.
- Logging: Every successfull login, logout, login
attempt and failed login is logged.
-
Configurable parameters: Several aspects related to the
log in and log out procedure and the session management are
configurarable, see chapter Configuration Manager, paragraph Site for details.
Here is a list:
- Session expiry interval: Defines when a user
session is timed out. After a configurable time of user inactivity, the
session is timed out, the user is logged out and an error message is
displayed.
- Maximum allowed login attempts: After a
configurable number of logins, the user is asked if he wants to go to
the 'Forgotten your password? procedure. If he persists in logging
in, he is blacklisted. See items below. This is a secruity
feature.
- Login failures interval: The time window in which
the blacklist is consulted before deleting a users failed login
attempts. So, a user has to wait a configurable time before he can
undertake new attempts. This is a security feature.
- Failed login attempts: After a configurable number
of failed login attempts, the user automatically gets the Forgotten
your password? dialogue.
- Valid bypass interval: This item refers to the
'Forgotten your password?' procedure.
After sending the first mail, containing the one time code, the user
has 30 minutes to read and enter the one time code. If the time is
exceeded, the one time code expires.
- Blacklist interval: The time a user is put on the
blacklist. In this period, the system is unaccessible for that
user.
This chapter elaborates
on other chapters. We assume you have read and done the
General part of the Table of Contents.
Website@School
does not accept simple passwords like 'helen' or
'maria2'. These simple passwords are easy to guess and using them
endangers Website@School, the school server and the data on it. Passwords
must have certain properties to make them difficult to guess. A
Website@School password must:
- have at least a minimum length of 6 (six) characters,
- have at least 1 (one) uppercase character (A-Z).
- have at least 1 (one) lowercase character (a-z).
- have at least 1 (one) digit (0-9)
- preferably have special character like: at-sign '@', hash
'#', dollar '$', percentage sign '%', caret
'^', ampersand '&', asterisk '*', left
parenthesis '(', right parenthesis ')', dash '-',
underscore '_', plus '+', equals '=', left curly
brace '{', right curly brace '}', opening bracket
'[', closing bracket ']', semicolon ';', slash
'/', dot '.' and question mark '?'.
It is a good idea to choose a password of more than 6 characters long. A
good password, as an example, is 'Mrbh3ws!' (omit the quotes). This
password is easy to remember when you know it stands for the sentence:
"My red bike has 3 wheels!". However, and that makes it a good
password, it's very difficult to guess when you do not know the sentence.
This 'sentence trick' is an easy way for pupils to create difficult
passwords and remember them.
NOTICE:
When creating users and giving them passwords, the passwords must meet the
above requirements.
(top)
When trying to log in
in, please bear in mnind that there are three types of users in
Website@School:
- Regular visitors of the site and areas, having no account to log in
anywhere.
- Users with an account with permissions only to read Private
Area(s) (i.e.Intranet(s)).
- Users with an account that permits them to perform management
tasks in Website@School.
NOTICE:
Regular visitors (1) are just visitors, having no access at all.
Users with Intranet read access (2) can login via the site, i.e. via
index.php.
Users (3) with enough permissions to do management tasks can login via the
login dialogue, i.e. via admin.php.
A user with only Intranet read permissions, accidentally trying
to log in via admin.php, is logged in, but encounters the
Access denied dialogue:
![[ Access denied, two links ]](login/login_access_not_valid.png)
login_access_not_valid.png
The user can now either:
- Select the public site and access her Intranet(s) via the 'Select
Area' dropdown menu, because she is already logged in, or
- Select login, whereafter she first is logged out, to log in again with
another account name or with sufficient permissions to enter Website@School
management.
NOTICE:
Newly created users, whose access permissions are forgotten to be set,
receive the same Access denied message. This results in a
complaining user.
Logging in can be done via index.php and
admin.php. When switching from the site to management or vice
versa, the user does not have to login again. When logging out on the site,
the user is also logged out in Website@School management and vice versa.
NOTICE:
When you try to log in and are immediately redirected to the site, please
read 4.4 After login attempt redirected to the
website
Open a browser and go to
http://exemplum.eu/admin.php. This is a fictional URL, replace it with the
real URL of your school. Only replace the URL, of the
school, but keep the admin.php. Next, hit the
[Enter] key to enter the login dialogue:
![[ Exemplum Primary School login page, username name, password ******** ]](login/login_logging_in.png)
login_logging_in.png
Explanation:
- Username: Enter the user name you created during
installation or received from the web master. For example
wblader.
- Password: Enter the password you created during the
installation or received from the web master. The password is not shown,
but ******** asterisks. This is a security feature.
- [OK] or [Enter]: Press the [Enter]
key on your keybord, or click [OK] to enter Website@School Management
Welcome page.
- home: Link to the home page of the school site.
- Forgotten your password?: When you forgot your
password, use this link to obtain a new password. See paragraph 3. Forgotten your password? for further details.
After a succesfull login, you are on the Website@School
Welcome page:
![[ Welcome, message= success ]](login/login_was_home_after_login.png)
Xlogin_was_home_after_login.png
From this page Website@School is managed.
After having done your
job in Website@School you must log out to end your session.
NOTICE:
Do not terminate your session by exiting your browser or clicking
the X in the upper right corner of your browser. This brute force action will
indeed kill your session, but it does not unlock the materials you were
working with. The next time you login, you may be confronted with locked
pages, see paragraph 4.3 Locked
pages.
To end your session in Website@School, click the link logout Full Name in the upper right corner of the screen to log
out, wereafter the logout dialogue opens:
![[ Exemplum Primary School, pop up: success, message= success ]](login/login_logged_out.png)
login_logged_out.png
After logging out, two possibilities are available:
- You are taken back to the login dialogue and can login again after
reading the pop up message and clicking the [OK] button, or
- you are taken back to some other place. This depends on your account
settings in the user properties. These are set in the account manager and
are discussed in chapter Account
Manager, paragraph 3.3 Edit user username (Full Name ).
When you have
forgotten your password, try to remember it. Do not try it out
endlessly. This results in error messages and if you keep on trying, your
access will be (temporarily) denied.
Better try to get a new password from the web master. This is really the
easiest ways to obtain a new password. If that's not possible, follow the
inconvenient but secure procedure described below.
Click the Forgotten your password? link in the
login dialoge to enter the Please enter your username and
e-mail address and press the button. dialogue:
![[ Exemplum Primary School, logout, username user, e-mail address 'e-mail address' ]](login/login_forgotten_password.png)
login_forgotten_password.png
Enter your user name and the e-mail address that was used when the account
was created. Press the [Enter] key on your keyboard or click the [OK]
button.
The Please see your e-mail for further instructions. dialoge
opens:
![[ Exemplum Primary School, pop up: see e-mail, see e-mail, message= see e-mail ]](login/login_forgotten_password_email_1.png)
login_forgotten_password_email_1.png
NOTICE:
When you, at this very moment, remember your old password, you can click away
the pop-up windown, but do not press the [OK] button in the
Please see your e-mail for further instructions. dialoge.
After pressing the [OK] button, your old password will not be usable
anymore!
Please check the e-mail like the following:
Subject: One-time login code request
Date: Fri, 17 Dec 2010 22:27:16 +0100
From: Exemplum Primary School <webmaster@exemplum.eu>
To: w.bladergroen@exemplum.eu (Wilhelmina Bladergroen)
Here is a link with a one-time code that will allow you to
request a new, temporary password. Copy the link below to
the address bar in your browser and press [Enter]:
http://exemplum.org/index.php?login=4&username=hparkh&code=BEJZ51CYT9F6KPHPS05W
Alternatively, you can go to this location:
http://exemplum.org/index.php?login=4
and enter your username and this one-time code:
X8XDCOE2X0M2RYQRGJLY
Note that this code is valid for only 30 minutes.
The request for this one-time code was received from this
address:
172.17.2.23
Good luck!
Your automated webmaster
|
If the first URL fails (see 4.5
One time code error), copy the one time code and use the second URL.
Press the [OK] button, whereafter the Please enter your username
and one-time code and press the button. dialogue opens:
![[ Exemplum Primary School, username 'user', one time code X8X...JLY ]](login/login_forgotten_password_enter_one_time_code.png)
login_forgotten_password_enter_one_time_code.png
Enter the one-time code and press the [Enter] key on your
keyboard or use the [OK] button, to enter the Please see
your e-mail for your new temporary password. dialogue:
![[ Exemplum Primary School, pop up: see e-mail, message= see e-mail ]](login/login_forgotten_password_email_2.png)
login_forgotten_password_email_2.png
Another mail is sent to you, containing the temporarily password:
Subject: One-time login code request
Date: Fri, 17 Dec 2010 22:30:17 +0100
From: Exemplum Primary School <webmaster@exemplum.eu>
To: w.bladergroen@exemplum.eu (Wilhelmina Bladergroen)
Here is your temporary password:
9Y5tUk4q
Note that this password is valid for only 30 minutes.
The request for this temporary password was received
from this address:
172.17.2.23
Good luck!
Your automated webmaster
|
Enter the user name and copy & paste the one time password in the
password field:
![[ Exemplum Primary School, username name, password *******, message= see e-mail ]](login/login_forgotten_password_enter_temp_password.png)
login_forgotten_password_enter_temp_password.png
Press Enter or the [OK] button, to enter the You have to
change your password now. dialogue:
![[ Exemplum Primary School, username name, password ******, new password *******, confirm new password ******* ]](login/login_forgotten_password_enter_new_password.png)
login_forgotten_password_enter_new_password.png
After clicking the [OK] button, the ...successfully
changed. dialogue opens:
![[ Exemplum Primary school, pop up: success, message= succes ]](login/login_forgotten_password_successfull_change.png)
login_forgotten_password_successfull_change.png
In the pop up window, click [OK] to remove it and. Next, click [OK] and
enter enter the site. Go to My page, select admin.php and
you are in Website@School management.
You also receive an e-mail, confirming the change of your password.
Subject: One-time login code request
Date: Fri, 17 Dec 2010 22:33:18 +0100
From: Exemplum Primary School <webmaster@exemplum.eu>
To: w.bladergroen@exemplum.eu (Wilhelmina Bladergroen)
Your password has been changed.
The password change request was received
from address 172.17.2.23 on 2010-12-17 22:35:48.
Kind regards,
Your automated webmaster.
|
As you may have noticed, changing your password is, for security reasons,
a complicated process. It's easier to remember your secure password, or
humbly address the webmaster.
(top)
Below some of the most
common error messages during log in are summed up. The error messages are
shown here in the way they appear in the yellow message bar.
If you
have entered a wrong username/password combination, you receive an popup
window andwith an error message.
Invalid credentials, please try
again
![[ Exemplum Primary School, pop up: invalid creentioals, message= invalid credentials ]](login/login_wrong_user_password.png)
login_wrong_user_password.png
NOTICE:
Do not try endlessly to find your forgotten password, but try to remember it.
After 10 attempts, you are taken to the Forgotten your
password? dialogue. See paragraph 3. Forgotten
your password? on renewing it.
The forgot
password procedure asks your username and email address. If you have entered
a wrong username/email-combination, you see an alert box with an error
message 'Invalid username and email address'. After pressing the [OK]
button to remove the alert, you get another chance to enter the correct
combination. The number of attempts is limited; by default you can retry 10
times.
![[ Exemplum Primary School, pop up: invalid credentials, message= invalid credentials ]](login/login_too_many_attempts_forgot_password.png)
login_too_many_attempts_forgot_password.png
If you persist and enter an incorrect combination for the 11th time, you
will be locked out for a configuratble amount of time (default 8
minutes).
![[ Exemplum Primary School, pop up: invalid username, messge=invalid username ]](login/login_wrong_user_and_mail.png)
login_wrong_user_and_mail.png
After yet 10 more failed logins, you get:
![[ Exemplum Primary Schoo, pop up: too many attempts, messge= toom many attempts ]](login/login_too_many_attempts.png)
login_too_many_attempts.png
And if you persist, clicking the [ok] button:
![[ Exemplum Primary School, pop up: access denied, message= access denied ]](login/login_access_denied.png)
login_access_denied.png
This is a feature to protect Website@School against automated password
cracking attempts. Wait 8 minutes and try again.
When a login lasts more
than 24 hours, the user is automatically logged out:
![[ Exemplum Primary School, pop up: forcefully logged out, message= forcefully logged out ]](login/login_forcefully_logged_out.png)
login_forcefully_logged_out.png
Remove the pop up message and log in again. This feature can be set in
'Session expiry interval', see chapter Configuration Manager,
paragraph Site.
![[ Access denied, two links ]](login/login_access_disabled.png)
login_access_disabled.png
You probable have no or not enough permissions to enter Website@school
Management. Please use one of the links.
Another often occuring reason for this error is when the webmaster has
created your account, but forgot to give you (enogh) permissions to enter
Website@School management.
Some browsers or
some e-mail clients (?) have problems with the full URL of the one time code.
In that case you get the following message:
![[ Invalid one time code, please try again ]](login/login_invalid_one_time_code.png)
login_invalid_one_time_code.png
In this case, copy the second URL to your browser and copy & paste the
one-time code in the One-time code field.
(top)
To summarise this
chapter: it's much easier to remember your password than to
change it.
(top)
Author: Dirk Schouten <schoutid (at) Knoware (dot) nl
>
Last updated: 2012-04-03