Contents
1. Introduction
1.1 Features
1.2 Assumptions
1.3 Password
requirements
2. Logging in and out
2.1 Logging in
2.2 Logging out
3. Forgotten your password?
4. Error messages
4.1 Wrong user name or
password
4.2 Too many login
attempts
4.3 Auto logout
4.4 Access denied
5. Concluding remarks
This chapter describes the log in and log out procedure for the different users of website@School, password requirements and how to renew your password
when you forgot it. This last procedure is rather well
secured (thus complicated), because it is accessible
via the web. You do not want someone to tamper with
your valuable password.
Believe us, remembering your password is much easier
than the password refresh procedure.
Furthermore some error messages are discussed.
The password facility has the following features, in
no specific order:
- Strong password requirements: Please see paragraph 1.4 Password requirements.
- Logging: Every successfull login, logout, login attempt and failed login is logged.
- Configurable parameters: Several aspects related to the log in/log out procedure and the session management are configurarable, see chapter Configuration Manager, paragraph Site for details.
Here is a list:
- Session expiry interval: Defines when a user session is timed out. After a configurable time of user inactivity, the session is timed out, the user is logged out and an error message is displayed.
- Maximum allowed login attempts: After a configurable number of
logins, the user is asked if he wants to go to the 'Forgotten your password? procedure. If he persists in logging in, he is blacklisted. See items below. This is a secruity feature.
- Login failures interval: The time window in which the
blacklist is consulted before deleting a users failed login attempts. So, a user has to wait a configurable time before he can undertake new attempts. This is a security feature.
- Failed login attempts: After a configurable number of failed login attempts, the user automatically gets the Forgotten your
password? dialogue.
- Valid bypass interval: This item refers to the 'Forgotten your password?' procedure.
After sending the first mail, containing the one time code, the user has 30 minutes to read and enter the one time code. If the time is exceeded, the one time code expires.
- Blacklist interval: The time a user is put on the blacklist. In this period, the system is unaccessible for that user.
This chapter elaborates on other chapters. We assume you have read and done the General part of the Table of Contents.
Website@School does not accept simple
passwords like 'helen' or 'maria2'. These simple
passwords are easy to guess and using them endangers
Website@School, the school server and the data on it. Passwords must have certain properties to make them difficult to guess. A Website@School password must:
- have at least a minimum length of 6 (six) characters,
- have at least 1 (one) uppercase character (A-Z).
- have at least 1 (one) lowercase character (a-z).
- have at least 1 (one) digit (0-9)
- preferably have special character like: at-sign
'@', hash '#', dollar '$', percentage sign '%', caret
'^', ampersand '&', asterisk '*', left parenthesis
'(', right parenthesis ')', dash '-', underscore '_',
plus '+', equals '=', left curly brace '{', right
curly brace '}', opening bracket '[', closing bracket
']', semicolon ';', slash '/', dot '.' and question
mark '?'.
It is a good idea to choose a password of more than 6
characters long. A good password, as an example, is
'Mrbh3ws!' (omit the quotes). This password is easy to
remember when you know it stands for the sentence: "My
red bike has 3 wheels!". However, and that makes it a
good password, it's very difficult to guess when you
do not know the sentence. This 'sentence trick' is an
easy way for pupils to create difficult passwords and
remember them.
NOTICE:
When creating users and giving them passwords, the
passwords must meet the above requirements.
(top)
When trying to log in in, please bear in mnind that there are three types of users in Website@School:
- Regular visitors of the site and areas, having no account to log in anywhere.
- Users with an account with permissions only to read Private Area(s) (i.e.Intranet(s)).
- Users with an account that permits them to perform management tasks in Website@School.
NOTICE:
Regular visitors (1) are just visitors, having no access at all.
Users with Intranet read access (2) can login via the site, i.e. via index.php
.
Users (3) with enough permissions to do management tasks can login via the login dialogue, i.e. via admin.php
.
A user with only Intranet read permissions, accidentally trying to log in via admin.php
, is logged in, but encounters the Access denied dialogue:
login_access_not_valid.png
The user can now either:
- Select the public site and access her Intranet(s) via the 'Select Area' dropdown menu, because she is already logged in, or
- Select login, whereafter she first is logged out, to log in again with another account name or with sufficient permissions to enter Website@School management.
NOTICE:
Newly created users, whose access permissions are forgotten to be set, receive the same Access denied message. This results in a complaining user.
Logging in can be done via index.php
and admin.php
. When switching from the site to management or vice versa, the user does not have to login again. When logging out on the site, the user is also logged out in Website@School management and vice versa.
NOTICE:
When you try to log in and are immediately redirected to the site, please read 4.4 After login attempt redirected to the website
Open a browser and go to http://exemplum.eu/admin.php. This is a fictional URL, replace it with the real URL of your school. Only replace the URL, of the school, but keep the admin.php
. Next, hit the [Enter] key to enter the login dialogue:
login_logging_in.png
Explanation:
- Username: Enter the user name you
created during installation or received from the
web master. For example wblader, webmaster.
- Password: Enter the password you
created during the installation or received from the
web master. The password is not shown, but ********. This is a security feature.
- [OK] or [Enter]: Press
the [Enter] key on your keybord, or click
[OK] to enter Website@School Management; the Welcome
page.
- home: Link to the home page of the school site.
- Forgotten your password?: When
you forgot your password, use this link to obtain a
new password. See paragraph 3. Forgotten
your password? for further details.
After a succesfull login, you are on the
Website@School Welcome page:
Xlogin_was_home_after_login.png
From this page Website@School is managed. See the
Website@School Users Guide Table of contents for the
respective chapters. or the Guided Tour for a brief overview.
NOTICE:
Please take notice at the yellow status bar. This is
the place where you receive status reports from
Website@school. Texts can be cut and past for support
questions.
After having done your job in Website@School you
must log out to end your session.
NOTICE:
Do not terminate your session by exiting your
browser or clicking the X in the upper right corner of
your browser. This brute force action will indeed kill
your session, but it does not unlock the materials you
were working with. The next time you login, you may be
confronted with locked pages, see paragraph 4.3 Locked pages.
To end your session in Website@School, click the link
logout Full Name in the upper right corner of the screen to log out, wereafter the logout dialogue opens:
login_logged_out.png
After logging out, two possibilities are available:
- You are taken back to the login dialogue and can
login again after reading the pop up message and
clicking the [OK] button, or
- you are taken back to some other place. This depends
on your account settings in the user properties. These are set in the account manager and are discussed in chapter Account Manager, paragraph 3.3
Edit user username (Full Name ).
When you have forgotten your password, try to remember
it, but do not try it out endlessly. This results in
error messages.
Better try to get a new password from the
web master. This is really the easiest ways to obtain a new password. If that's not possible, follow the inconvenient but secure procedure described below.
Click the Forgotten your
password? link in the login dialoge to enter
the Please enter your username and e-mail address and press the button. dialogue:
login_forgotten_password.png
Enter your user name and the e-mail address that was used when
the account was created. Press the [Enter] key
on your keyboard or click the [OK] button.
The Please see your e-mail for further instructions. dialoge opens:
login_forgotten_password_email_1.png
NOTICE:
When you, at this very moment, remember your old
password, you can lick away the pop-up windown, but do not press the [OK] button in the Please see your e-mail for further instructions. dialoge. After pressing that [OK] button, your old password will
not be usable anymore!
Please check the e-mail like the following:
Subject: One-time login code request
Date: Fri, 17 Dec 2010 22:27:16 +0100
From: Exemplum Primary School <webmaster@exemplum.eu>
To: w.bladergroen@exemplum.eu (Wilhelmina Bladergroen)
Here is a link with a one-time code that will allow you to
request a new, temporary password. Copy the link below to
the address bar in your browser and press [Enter]:
http://exemplum.org/index.php?login=4&username=hparkh&code=BEJZ51CYT9F6KPHPS05W
Alternatively, you can go to this location:
http://exemplum.org/index.php?login=4
and enter your username and this one-time code:
X8XDCOE2X0M2RYQRGJLY
Note that this code is valid for only 30 minutes.
The request for this one-time code was received from this
address:
172.17.2.23
Good luck!
Your automated webmaster
|
As written, copy the link location or use the one time code.
Press the [OK] button, whereafter the Please enter your username and one-time code and press the button. dialogue opens:
login_forgotten_password_enter_one_time_code.png
Enter the one-time code and press the [Enter]
key on your keyboard or use the [OK] button, to enter
the Please see your e-mail for your new temporary password. dialogue:
login_forgotten_password_email_2.png
Another mail is sent to you, containing the temporarily password:
Subject: One-time login code request
Date: Fri, 17 Dec 2010 22:30:17 +0100
From: Exemplum Primary School <webmaster@exemplum.eu>
To: w.bladergroen@exemplum.eu (Wilhelmina Bladergroen)
Here is your temporary password:
9Y5tUk4q
Note that this password is valid for only 30 minutes.
The request for this temporary password was received
from this address:
172.17.2.23
Good luck!
Your automated webmaster
|
Enter the user name and copy & paste the one time
password in the password field:
login_forgotten_password_enter_temp_password.png
Press Enter or the [OK] button, to enter the
You have to change your password now. dialogue:
login_forgotten_password_enter_new_password.png
After clicking the [OK] button, the ...successfully changed. dialogue
opens:
login_forgotten_password_successfull_change.png
In the pop up window, click [OK] to remove it and.
Next, click [OK] and enter enter the site. Go to
My page, select admin.php and you
are in Website@School management.
You also receive an e-mail, confirming the change of
your password.
Subject: One-time login code request
Date: Fri, 17 Dec 2010 22:33:18 +0100
From: Exemplum Primary School <webmaster@exemplum.eu>
To: w.bladergroen@exemplum.eu (Wilhelmina Bladergroen)
Your password has been changed.
The password change request was received
from address 172.17.2.23 on 2010-12-17 22:35:48.
Kind regards,
Your automated webmaster.
|
As you may have noticed, changing your password is,
for security reasons, a complicated process. It's
easier to remember your secure password, or humbly
address the webmaster.
(top)
Below some of the most common erro messages during loing are summed up.
If you have entered a wrong username/password-combination, you see an
alert box with an error message 'Invalid credentials, please try again'. After pressing the [OK] button to remove the alert, you get another chance to enter the correct combination. The number of attempts is limited; by default you can retry 10 times.
login_wrong_user_password.png
NOTICE:
Do not try endlessly to find your forgotten password,
but try to remember it. After 10 attempts, you are
taken to the Forgotten your
password? dialogue. See paragraph 3. Forgotten your password? on
renewing it.
The forgot password procedure asks your username and email address. If you have entered a wrong username/email-combination, you see an alert box with an error message 'Invalid username and email
address'. After pressing the [OK] button to remove the alert, you get another chance to enter the correct combination. The number of attempts is limited; by default you can retry 10 times.
login_too_many_attempts_forgot_password.png
If you persist and enter an incorrect combination for the 11th time, you will be locked out for a configuratble amount of time (default 8
minutes).
login_wrong_user_and_mail.png
After yet 10 more failed logins, you get:
login_too_many_attempts.png
And if you persist, clicking the [ok] button:
login_access_denied.png
This is a feature to protect Website@School against
automated password cracking attempts. Wait 8 minutes
and try again.
When a login lasts more than 24 hours, the user is
automatically logged out:
login_forcefully_logged_out.png
Remove the pop up message and log in again.
This feature can be set in 'Session expiry interval', see
chapter Configuration Manager, paragraph
Site.
login_access_disabled.png
You probable have no or not enough permissions to enter Website@school Management. Please use one of the links.
Another often occuring reason for this error is when the webmaster has created your account, but forgot to give you (enogh) permissions to enter Website@School management.
(top)
To summarise this chapter: it's much easier to remember your password than to change it.
(top)
Author: Dirk Schouten <schoutid (at) Knoware
(dot) nl >
Last updated: 2012-02-22