Website@School Users' Guide
Prev		Next

Logging in and out

1. Introduction
1.1 Features
1.2 Assumptions
1.3 Password requirements

2. Logging in and out
2.1 Logging in
2.2 Logging out

3. Forgotten your password?

4. Error messages
4.1 Incorrect User name or password
4.2 Too many login attempts
4.3 Auto logout
4.4 Access denied
4.5 One-time code error

5. Tips
5.1 A link from public- to a private Area
5.2 Do not change a password!

6. Concluding remarks

1. Introduction

This chapter describes the logging in and logging out procedures, the password requirements and how to renew your password. This last procedure is rather well secured but somewhat complicated, because the process is accessible through the Internet. Error messages related to the logging in procedure are also discussed here.

Remembering your password and keeping it safe, or asking for a new one directly from the webmaster, is always much easier than using the Internet password renewal procedure.

1.1. Features

The password facility has the following features:

Strong password requirements: See paragraph 1.3 Password requirements.
Logging: Every successful login, logout, login attempt or failed login is logged.
Configurable parameters: Several aspects related to the log in and log out procedure and the session management are configurable, see chapter Configuration Manager, paragraph Site for details.
The configurable parameters are:
- Session expiry interval: Defines a time period after which a User's session is timed out after continuous inactivity. After the time has expired, the User is logged out and an error message is displayed on the web page.
- Maximum allowed login attempts: After a configurable number of failed login attempts, the User is asked if the 'Forgotten your password ?' procedure should be started. If the User still persists in further log in attempts, the User is eventually blacklisted. This is a security feature. See items below.
- Login failures interval: The time period in which the blacklist is consulted before a User is removed from the blacklist due to previous login failures. A User has to wait for this configurable time before any fresh login attempts can be made. This is a security feature.
- Valid bypass interval: This item refers to the 'Forgotten your password?' procedure.
  After sending the first email containing the one-time code, the User has thirty minutes to read and enter the one-time code. If this time is exceeded, the one-time code expires and cannot be used.
- Blacklist interval: The time that a User is placed on the blacklist. In this period, the system is unaccessible for that User.

1.2 Assumptions

This chapter elaborates on other chapters. We assume you have read and completed the General part of the Table of Contents.

1.3 Password requirements

Website@School does not accept simple passwords like 'helen' or 'maria2'. These simple passwords are easy to guess and using them endangers Website@School, the school server and the data on it. Passwords must have certain properties to make them difficult to guess.
A Website@School password must:

have at least a minimum length of six characters,
have at least one uppercase character (A-Z).
have at least one lowercase character (a-z).
have at least one digit (0-9)
preferably have special character like: at-sign '@', hash '#', dollar '$', percentage sign '%', caret '^', ampersand '&', asterisk '*', left parenthesis '(', right parenthesis ')', dash '-', underscore '_', plus '+', equals '=', left curly brace '{', right curly brace '}', opening bracket '[', closing bracket ']', semicolon ';', slash '/', dot '.' and question mark '?'.

It is a good idea to choose a password of more than six characters long. A good password, for example, is 'Mrbh3ws!' (omit the quotes). This password is easy to remember when you know it stands for the sentence: "My red bike has 3 wheels!". This makes it a good password because it is quite difficult to guess when you do not know the original sentence. Using this method is an easy way for pupils to create difficult passwords and yet still remember them.

NOTE: When creating Users and assigning them passwords, the passwords must meet the above requirements.

(top)

2. Logging in and out

When trying to log in, bear in mind that there are three types of Users in Website@School:

Regular visitors of the site and areas, having no account to log in anywhere.
Users with an account with permissions only to read Private Area(s) (i.e.Intranet(s)).
Users with an account that permits them to perform management tasks in Website@School.

NOTE: Regular visitors (1) are just visitors, having no access at all.
Users with Intranet read access (2) can login via the site, i.e. via index.php.
Users (3) with sufficient permissions to undertake management tasks can login via the standard login dialogue, i.e. via admin.php.

A User with only Intranet read permissions, who accidentally or deliberately tries to log in using admin.php, is allowed to log in, but encounters the Access denied dialogue:

login_access_disabled.png

The User can now either:

Select the public site and access the Intranet(s) Areas via the 'Select Area' dropdown menu, because the User is already logged in, or
Select login, where the User is logged out and is allowed to log in again with another account name or with sufficient permissions to enter Website@School management.

NOTE: Newly created Users, whose access permissions have not been set, receive the same Access denied message.

Logging in can be done via index.php or admin.php. When switching from site access to management access or vice versa, the User does not have to login again. When logging out of the site, the User is also logged out of Website@School management mode, and vice versa.

NOTE: When the User tries to log in again, he can be immediately redirected to another site, please read 4.4 After login attempt redirected to the website

2.1 Logging in

Open a browser and go to http://exemplum.eu/admin.php. This is a fictional URL, replace it with the real URL of your school. Only replace the URL of the school, but keep the admin.php part.
Next, [Enter] To start the login dialogue:

[ Exemplum Primary School login page, username name, password ******** ]

login_logging_in.png

Explanation:

username: Enter the username you created during installation or received from the webmaster. For example wblade.
Password: Enter the password you created during the installation or received from the webmaster. The password is not displayed, but shown as ******** asterisks. This is a security feature.
[OK] or [Enter]: Press the [Enter] key on your keyboard, or click [OK] to enter Website@School Management Welcome page.
home: Link to the home page of the school site.
Forgotten your password?: When the password has been forgotten, use this link to obtain a new password. See paragraph 3. Forgotten your password? for further details.

After a successful login, you are positioned on the Website@School Welcome page:

Xlogin_was_home_after_login.png

The Website@School is managed from this page.

NOTE: The following URL opens the login screen in a particular language (in this case Finnish):
http://exemplum.eu/admin.php?language=fi.
For details on the country codes to choose for the desired language, see: http://www.w3.org/WAI/ER/brIG/ert/iso639.htm.
Ignore the 'obsolete' in the above web page as it works fine.
For further details on this matter, see Wikipedia on http://en.wikipedia.org/wiki/ISO_639.

2.2 Logging out

After having completed your tasks in Website@School you must log out to end your session.

NOTE: Do not terminate your session by exiting your browser or clicking the X in the upper right corner of your browser. This drastic action will indeed terminate your session, but it does not unlock the items you were working with. On the next login attempt, you may be confronted with locked pages, see paragraph 4.3 Locked pages.

To end your session in Website@School, click the link logout Full Name in the upper right hand corner of the screen to log out. The logout dialogue opens:

[ Exemplum Primary School, pop up: success, message= success ]

login_logged_out.png

After logging out, two possibilities are available:

You are returned to the login dialogue and can login again after reading the pop-up message and clicking the [OK] button, or
you are returned to some other external web page. This depends on your account settings in the User's properties. These are set in the account manager and are discussed in chapter Account Manager, paragraph 3.3 Edit User username (Full Name ).

3. Forgotten your password?

When you have forgotten your password, it is strongly advisable not to keep on making failed attempts to login. This will result in many error messages and access to the web site will eventually be denied (albeit temporarily).
It is better to request a new password directly from the webmaster; it is the easiest way to obtain a new password. If that is not possible, follow the longer but secure procedure described below.

Click the Forgotten your password? link in the login dialogue to enter the Please enter your username and email address and press the button. dialogue:

[ Exemplum Primary School, logout, username User, email address 'email address' ]

login_forgotten_password.png

Enter your username and the email address that was used when the account was created. Press the [Enter] key on your keyboard or click the [OK] button.
The Please see your email for further instructions. dialogue opens:

[ Exemplum Primary School, pop up: see email, see email, message= see email ]

login_forgotten_password_email_1.png

NOTE: If at this point, you suddenly remember your old password, you can close the pop-up window by clicking on the X in the upper right corner, but do not press the [OK] button in the Please see your email for further instructions. dialogue. After pressing the [OK] button, your old password will not be usable anymore!

Here is an example of the email that will be sent to you:

Subject: One-time login code request
Date: Fri, 17 Dec 2010 22:27:16 +0100
From: Exemplum Primary School <webmaster@exemplum.eu>
To: w.bladergroen@exemplum.eu (Wilhelmina Bladergroen)

Here is a link with a one-time code that will allow you to
request a new, temporary password. Copy the link below to
the address bar in your browser and press [Enter]:

http://exemplum.org/index.php?login=4&username=hparkh&code=BEJZ51CYT9F6KPHPS05W

Alternatively, you can go to this location:

    http://exemplum.org/index.php?login=4

and enter your username and this one-time code:

    X8XDCOE2X0M2RYQRGJLY

Note that this code is valid for only 30 minutes.

The request for this one-time code was received from this
address:

    172.17.2.23

Good luck!

Your automated webmaster

If the first URL fails (see 4.5 One-time code error), copy the one-time code and use the second URL.

Press the [OK] button, then the Please enter your username and one-time code and press the button. dialogue opens:

[ Exemplum Primary School, username 'user', one time code X8X...JLY ]

login_forgotten_password_enter_one_time_code.png

Enter the one-time code and press the [Enter] key on your keyboard or use the [OK] button, to enter the Please see your email for your new temporary password. dialogue:

[ Exemplum Primary School, pop up: see email, message= see email ]

login_forgotten_password_email_2.png

A second email is sent to you containing a temporary password. The password is temporary because it can only be used for one login and then it expires.

Subject: One-time login code request
Date: Fri, 17 Dec 2010 22:30:17 +0100
From: Exemplum Primary School <webmaster@exemplum.eu>
To: w.bladergroen@exemplum.eu (Wilhelmina Bladergroen)

Here is your temporary password:

    9Y5tUk4q

Note that this password is valid for only 30 minutes.

The request for this temporary password was received
from this address:

    172.17.2.23

Good luck!

Your automated webmaster

Enter the username and copy and paste the one-time password into the password field:

[ Exemplum Primary School, username name, password *******, message= see email ]

login_forgotten_password_enter_temp_password.png

Press Enter or the [OK] button, to enter the You have to change your password now. dialogue:

[ Exemplum Primary School, username name, password ******, new password *******, confirm new password ******* ]

login_forgotten_password_enter_new_password.png

username: Enter your username.
Password: Copy and paste the one-time password you received in the second mail.
New password: Enter a new secure password, see paragraph 1.4 Password requirements to create a secure password. Save the new password in a safe place.
NOTE: The new password may not be the same as the one-time password or the previous forgotten password!
Confirm new password: Retype the new password.
OK: Press the [Ok] button to send the new password.

After clicking the [OK] button, the Your password was successfully changed. dialogue opens:

[ Exemplum Primary school, pop up: success, message= succes ]

login_forgotten_password_successful_change.png

In the pop-up window, click [OK] to close it. Next, click [OK] and enter the site. Go to My page, select admin.php and you are in Website@School management.

An email confirming the change of password will also be sent to you.

Subject: One-time login code request
Date: Fri, 17 Dec 2010 22:33:18 +0100
From: Exemplum Primary School <webmaster@exemplum.eu>
To: w.bladergroen@exemplum.eu (Wilhelmina Bladergroen)

Your password has been changed.

The password change request was received
from address 172.17.2.23 on 2010-12-17 22:35:48.

Kind regards,

Your automated webmaster.

As you may have noticed, changing your password is, for security reasons, a long process. It is far easier to remember your secure password, or request a new one directly from the webmaster.

(top)

4. Error messages

Here are some of the common error messages which may arise during the login process.

4.1 Incorrect username or password

If an incorrect username/password combination has been entered, the following pop-up window with an error message will be displayed.

[ Exemplum Primary School, pop up: invalid creentioals, message= invalid credentials ]

login_invalid_credentials.png

NOTE: Do not continue to try entering a password which you may have forgotten. After ten attempts (by default), you are taken to the Forgotten your password? dialogue. See paragraph 3. Forgotten your password? for renewing it.

4.2 Too many login attempts

The forgotten password procedure requires a username and email address. If a incorrect username/email combination has been entered, an alert box with an error message 'Invalid username and email address' is displayed. After pressing the [OK] button to close the alert window, there is another chance to enter the correct username/email combination. The number of attempts allowed is limited (by default only a maximum of ten reties).

[ Exemplum Primary School, pop up: invalid credentials, message= invalid credentials ]

login_too_many_attempts_forgot_password.png

If more than the allowed login attempts are exceeded, the username will be locked out for a configurable amount of time (default is eight minutes) and no login attempts can be made.

[ Exemplum Primary School, pop up: invalid username, messge=invalid username ]

login_invalid_user_and_mail.png

When the maximum log on attempts have been exceeded, the following message is displayed:

[ Exemplum Primary Schoo, pop up: too many attempts, messge= toom many attempts ]

login_too_many_attempts.png

And if further login attempts are made, the following message is displayed:

[ Exemplum Primary School, pop up: access denied, message= access denied ]

login_access_denied.png

This Login denial is a security feature to protect Website@School against automated password cracking attempts. After the default time period has passed (default eight minutes), logins can again be attempted.

4.3 Auto logout

If a login session lasts longer than twenty-four hours, the User is automatically logged out.

[ Exemplum Primary School, pop up: forcefully logged out, message= forcefully logged out ]

login_forcefully_logged_out.png

Close the pop-up message window and attempt a login again. This feature can be set in 'Session expiry interval', see chapter Configuration Manager, paragraph Site.

4.4 Access denied

This message is displayed when the User has no permission to enter Website@school Management function. Click on one of the displayed link to continue.

login_access_disabled.png

Another frequent reason for this error can be when the webmaster has created a new User account, but has forgotten to assign the permission to the User to enter the Website@School management function.

4.5 One-time code error

Some browsers and some email clients have problems with the full URL sent with the one-time code email. In that case, the following message is displayed:

[ Invalid one time code, please try again ]

login_invalid_one_time_code.png

If this happens, simply copy the second URL into your browser and copy and paste the one-time code into the One-time code field.

(top)

5. Tips

5.1 A link from a public- to a private Area

You have on a public area, created a link to a private area. When a visitor clicks that link, she can land on either:

The log in screen: The user was not logged in, so she has to log in to visite the protected area.
The page on the private area: The user was already logged in, so no username and password are required.

5.2 Do not change a password!

If a User has been found to be guilty of malicious conduct then it is advisable not to change the User's password to prevent logging in, but simply make this User inactive or delete the User's account completely.
The reason behind this advice is: if the administrator changes the password, the User still can request a new password and log in again.
Bear in mind that deleting the account also deletes everything in the User's 'My Files' directory.

(top)

6. Concluding remarks

To summarize this chapter: It is much easier to remember your password than to change it.

(top)

Prev	Home	Next
Basic procedures for beginners		Installation

Author: Dirk Schouten <dirk (at) websiteatschool (dot) eu>

Ver 1.2 Last updated: 2014-09-06