Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

General Questions /

General questions about getting started with SilverStripe that don't fit in any of the categories above.

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

Half Correct Login


Reply


7 Posts   878 Views

Avatar
TerryMiddleton

Community Member, 108 Posts

5 May 2009 at 4:29am

Is there a way that when someone logs in and they provide the correct email address but not the correct password to tell them "Sorry your password is not correct."? Giving them the option to click on Forgot My Password.

Or to put the email address back in the email field.

Then is there a way to restrict/disable a login if someone has tried to login 3 times and failed?

Terry

I am days away from launching a new site on SS and I'm totaly excited about all that can be done with SS. Great job who ever conceived SS.

Avatar
Double-A-Ron

Community Member, 604 Posts

5 May 2009 at 8:17am

Not sure on this one, but both requests probably require serious modification (especially the three strikes one).

I will say from experience that telling a user what portion of their login credentials are incorrect instantly makes your login half as secure. And that's exactly what I would tell my client if they are asking for this.

Cheers
Aaron

Avatar
Ben Gribaudo

Community Member, 181 Posts

6 May 2009 at 12:15am

Terry,

There is some functionality along the lines of disabling login for a given username after so many failed login attempts. It doesn't appear to be mentioned on the docs site but you can find it mentioned in the [url=http://api.silverstripe.org/sapphire/security/Member.html#lock_out_after_incorrect_logins]api docs[/url]. For more understanding of how it works, you might want to look at the source of class [url=http://open.silverstripe.com/browser/modules/sapphire/trunk/security/Member.php]Member[/url].

I've never used this feature....

Hope this helps,
Ben

Avatar
TerryMiddleton

Community Member, 108 Posts

6 May 2009 at 10:20am

Ben

Thank you for this. I appreciate you.

Yeah, this looks very interesting. It seems you can restrict a login, but how do you (I wonder) update the record to reflect enabled.

I'll keep you posted on what I find. There seems to be so much you can do if you can get your head around it and find out the syntax and proper structure.

Thanks again,

Terry

Avatar
Ben Gribaudo

Community Member, 181 Posts

7 May 2009 at 12:27am

Terry,

"...but how do you (I wonder) update the record to reflect enabled. "

Are you wondering how to go into the admin interface and unlock a locked account?

Ben

Avatar
TerryMiddleton

Community Member, 108 Posts

7 May 2009 at 12:35am

Ben,

Yes...That too. Here is my process

1.) User register for an account
2.) They get added to a group with the status of disabled
3.) Their request gets reviewed and if approved they status needs to be changed to enabled and an email sent to them.
4.) If they try to login to many times I would like to disable them for 30 minutes or so just so we don't have hackers trying to get into the system. (This happens)

Thanks,

Terry

Avatar
Ben Gribaudo

Community Member, 181 Posts

7 May 2009 at 10:39pm

Terry,

If you're wanting a way to manually clear the lock out, you might try poking around in class Member's source, particularly looking at getCMSFields(). That method currently hides the "LockedOutUntil" field.

Hope this helps,
Ben