21309 Posts in 5738 Topics by 2603 members
|Go to End|
5 May 2009 at 4:29am
Is there a way that when someone logs in and they provide the correct email address but not the correct password to tell them "Sorry your password is not correct."? Giving them the option to click on Forgot My Password.
Or to put the email address back in the email field.
Then is there a way to restrict/disable a login if someone has tried to login 3 times and failed?
I am days away from launching a new site on SS and I'm totaly excited about all that can be done with SS. Great job who ever conceived SS.
5 May 2009 at 8:17am
Not sure on this one, but both requests probably require serious modification (especially the three strikes one).
I will say from experience that telling a user what portion of their login credentials are incorrect instantly makes your login half as secure. And that's exactly what I would tell my client if they are asking for this.
6 May 2009 at 12:15am
There is some functionality along the lines of disabling login for a given username after so many failed login attempts. It doesn't appear to be mentioned on the docs site but you can find it mentioned in the api docs. For more understanding of how it works, you might want to look at the source of class Member.
I've never used this feature....
Hope this helps,
6 May 2009 at 10:20am
Thank you for this. I appreciate you.
Yeah, this looks very interesting. It seems you can restrict a login, but how do you (I wonder) update the record to reflect enabled.
I'll keep you posted on what I find. There seems to be so much you can do if you can get your head around it and find out the syntax and proper structure.
7 May 2009 at 12:27am
"...but how do you (I wonder) update the record to reflect enabled. "
Are you wondering how to go into the admin interface and unlock a locked account?
7 May 2009 at 12:35am
Yes...That too. Here is my process
1.) User register for an account
2.) They get added to a group with the status of disabled
3.) Their request gets reviewed and if approved they status needs to be changed to enabled and an email sent to them.
4.) If they try to login to many times I would like to disable them for 30 minutes or so just so we don't have hackers trying to get into the system. (This happens)
7 May 2009 at 10:39pm
If you're wanting a way to manually clear the lock out, you might try poking around in class Member's source, particularly looking at getCMSFields(). That method currently hides the "LockedOutUntil" field.
Hope this helps,
|Go to Top|