Contents
1. Introduction
1.1 Features
1.2 Assumptions
1.3 Password requirements
2. Logging in and out
2.1 Logging in
2.2 Logging out
3. Forgotten your password?
4. Error messages
4.1 Wrong user name or password
4.2 Too many login attempts
4.3 Auto logout
4.4 Access denied
4.5 One time code error
5. Concluding remarks
This chapter describes the
log in and log out procedure, password requirements and how to renew your
password when yoy do not remember it anymore. This last procedure is rather
well secured, thus complicated, because the process is accessible via the
World Wide Web. You do not want someone to tamper with your valuable
password. Furthermore some log in error messages are discussed.
+ NOTICE:
Believe us, remembering your password, or humbly asking a new one from the
webmaster, is much easier than the password refresh procedure.
The password facility
has the following features, in no specific order:
- Strong password requirements: Please see paragraph
1.3 Password requirements.
- Logging: Every successfull login, logout, login
attempt and failed login is logged.
-
Configurable parameters: Several aspects related to
the log in and log out procedure and the session management are
configurarable, see chapter Configuration Manager, paragraph Site for
details.
Here is a list:
- Session expiry interval: Defines when a user
session is timed out. After a configurable time of user inactivity,
the session is timed out, the user is logged out and an error message
is displayed.
- Maximum allowed login attempts: After a
configurable number of logins, the user is asked if he wants to go to
the 'Forgotten your password? procedure. If he persists in
logging in, he is blacklisted. See items below. This is a secruity
feature.
- Login failures interval: The time window in
which the blacklist is consulted before deleting a users failed login
attempts. So, a user has to wait a configurable time before he can
undertake new attempts. This is a security feature.
- Valid bypass interval: This item refers to the
'Forgotten your password?' procedure.
After sending the first mail, containing the one time code, the user
has 30 minutes to read and enter the one time code. If the time is
exceeded, the one time code expires.
- Blacklist interval: The time a user is put on
the blacklist. In this period, the system is unaccessible for that
user.
This chapter
elaborates on other chapters. We assume you have read and
done the
General part of the
Table of Contents.
Website@School does
not accept simple
passwords like 'helen' or 'maria2'. These simple passwords
are easy to guess and using them endangers Website@School, the school
server and the data on it. Passwords must have certain properties to make
them difficult to guess. A Website@School password must:
- have at least a minimum length of 6 (six) characters,
- have at least 1 (one) uppercase character (A-Z).
- have at least 1 (one) lowercase character (a-z).
- have at least 1 (one) digit (0-9)
- preferably have special character like: at-sign '@', hash
'#', dollar '$', percentage sign '%', caret
'^', ampersand '&', asterisk '*', left
parenthesis '(', right parenthesis ')', dash '-',
underscore '_', plus '+', equals '=', left curly
brace '{', right curly brace '}', opening bracket
'[', closing bracket ']', semicolon ';', slash
'/', dot '.' and question mark '?'.
It is a good idea to choose a password of more than 6 characters long. A
good password, as an example, is 'Mrbh3ws!' (omit the quotes). This
password is easy to remember when you know it stands for the sentence:
"My red bike has 3 wheels!". However, and that makes it a good
password, it's very difficult to guess when you do not know the
sentence. This 'sentence trick' is an easy way for pupils to create
difficult passwords and remember them.
NOTICE:
When creating users and giving them passwords, the passwords must meet the
above requirements.
(top)
When trying to log
in in, please bear in mnind that there are three types of
users in
Website@School:
- Regular visitors of the site and areas, having no account to log in
anywhere.
- Users with an account with permissions only to read Private
Area(s) (i.e.Intranet(s)).
- Users with an account that permits them to perform management
tasks in Website@School.
NOTICE:
Regular visitors (1) are just visitors, having no access at all.
Users with Intranet read access (2) can login via the site, i.e. via
index.php.
Users (3) with enough permissions to do management tasks can login via the
login dialogue, i.e. via admin.php.
A user with only Intranet read permissions, accidentally trying
to log in via admin.php, is logged in, but encounters the
Access denied dialogue:
![[ Access disabled, two links ]](login/login_access_disabled.png)
login_access_disabled.png
The user can now either:
- Select the public site and access her Intranet(s) via the 'Select
Area' dropdown menu, because she is already logged in, or
- Select login, whereafter she first is logged out, to log in again
with another account name or with sufficient permissions to enter
Website@School management.
NOTICE:
Newly created users, whose access permissions are forgotten to be set,
receive the same Access denied message. This results in a
complaining user.
Logging in can be done via index.php and
admin.php. When switching from the site to management or vice
versa, the user does not have to login again. When logging out on the site,
the user is also logged out in Website@School management and vice
versa.
NOTICE:
When you try to log in and are immediately redirected to the site, please
read 4.4 After login attempt redirected to the
website
Open a browser and go
to http://exemplum.eu/admin.php. This is a fictional URL, replace it with
the real URL of your school.
Only replace the URL,
of the
school, but keep the
admin.php. Next, hit the
[Enter] key to enter the login dialogue:
![[ Exemplum Primary School login page, username name, password ******** ]](login/login_logging_in.png)
login_logging_in.png
Explanation:
- Username: Enter the user name you created during
installation or received from the web master. For example
wblader.
- Password: Enter the password you created during the
installation or received from the web master. The password is not shown,
but ******** asterisks. This is a security feature.
- [OK] or [Enter]: Press the [Enter]
key on your keybord, or click [OK] to enter Website@School Management
Welcome page.
- home: Link to the home page of the school site.
- Forgotten your password?: When you forgot your
password, use this link to obtain a new password. See paragraph 3. Forgotten your password? for further details.
After a succesfull login, you are on the Website@School
Welcome page:
![[ Welcome, message= success ]](login/login_was_home_after_login.png)
Xlogin_was_home_after_login.png
From this page Website@School is managed.
NOTICE:
The following URL opens the login screen on a selected language, in this
case Finnish:
http://exemplum.eu/admin.php?language=fi. For details on the
country codes see: http://www.w3.org/WAI/ER/brIG/ert/iso639.htm to choose
the correct code. Don't mind the 'obsolete' in the above web
page; it works fine. For further details on this matter, see Wikipedia on
http://en.wikipedia.org/wiki/ISO_639.
After having done your
job in Website@School you
must log out to end your session.
NOTICE:
Do not terminate your session by exiting your browser or clicking
the X in the upper right corner of your browser. This brute force action
will indeed kill your session, but it does not unlock the materials you
were working with. The next time you login, you may be confronted with
locked pages, see paragraph 4.3 Locked
pages.
To end your session in Website@School, click the link logout Full Name in the upper right corner of the screen to
log out, wereafter the logout dialogue opens:
![[ Exemplum Primary School, pop up: success, message= success ]](login/login_logged_out.png)
login_logged_out.png
After logging out, two possibilities are available:
- You are taken back to the login dialogue and can login again after
reading the pop up message and clicking the [OK] button, or
- you are taken back to some other place. This depends on your account
settings in the user properties. These are set in the account manager and
are discussed in chapter Account Manager, paragraph 3.3 Edit user username (Full
Name ).
When you have
forgotten your password, try to remember it. Do
not try it out
endlessly. This results in error messages and if you keep on trying, your
access will be (temporarily) denied.
Better try to get a new password from the web master. This is really the
easiest way to obtain a new password. If that's not possible, follow
the easiest way to obtain a new password. If that's not possible,
follow the inconvenient but secure procedure described below.
Click the Forgotten your password? link in the
login dialoge to enter the Please enter your username
and e-mail address and press the button. dialogue:
![[ Exemplum Primary School, logout, username user, e-mail address 'e-mail address' ]](login/login_forgotten_password.png)
login_forgotten_password.png
Enter your user name and the e-mail address that was used when the
account was created. Press the [Enter] key on your keyboard or click the
[OK] button.
The Please see your e-mail for further instructions.
dialoge opens:
![[ Exemplum Primary School, pop up: see e-mail, see e-mail, message= see e-mail ]](login/login_forgotten_password_email_1.png)
login_forgotten_password_email_1.png
NOTICE:
When you, at this very moment, remember your old password, you can click
away the pop-up windown, but do not press the [OK] button in the
Please see your e-mail for further instructions. dialoge.
After pressing the [OK] button, your old password will not be usable
anymore!
Please check the e-mail like the following:
Subject: One-time login code request
Date: Fri, 17 Dec 2010 22:27:16 +0100
From: Exemplum Primary School <webmaster@exemplum.eu>
To: w.bladergroen@exemplum.eu (Wilhelmina Bladergroen)
Here is a link with a one-time code that will allow you to
request a new, temporary password. Copy the link below to
the address bar in your browser and press [Enter]:
http://exemplum.org/index.php?login=4&username=hparkh&code=BEJZ51CYT9F6KPHPS05W
Alternatively, you can go to this location:
http://exemplum.org/index.php?login=4
and enter your username and this one-time code:
X8XDCOE2X0M2RYQRGJLY
Note that this code is valid for only 30 minutes.
The request for this one-time code was received from this
address:
172.17.2.23
Good luck!
Your automated webmaster
|
If the first URL fails (see 4.5
One time code error), copy the one time code and use the second
URL.
Press the [OK] button, whereafter the Please enter your username
and one-time code and press the button. dialogue opens:
![[ Exemplum Primary School, username 'user', one time code X8X...JLY ]](login/login_forgotten_password_enter_one_time_code.png)
login_forgotten_password_enter_one_time_code.png
Enter the one-time code and press the [Enter] key on your
keyboard or use the [OK] button, to enter the Please see
your e-mail for your new temporary password. dialogue:
![[ Exemplum Primary School, pop up: see e-mail, message= see e-mail ]](login/login_forgotten_password_email_2.png)
login_forgotten_password_email_2.png
Another mail is sent to you, containing the temporarily password:
Subject: One-time login code request
Date: Fri, 17 Dec 2010 22:30:17 +0100
From: Exemplum Primary School <webmaster@exemplum.eu>
To: w.bladergroen@exemplum.eu (Wilhelmina Bladergroen)
Here is your temporary password:
9Y5tUk4q
Note that this password is valid for only 30 minutes.
The request for this temporary password was received
from this address:
172.17.2.23
Good luck!
Your automated webmaster
|
Enter the user name and copy & paste the one time password in the
password field:
![[ Exemplum Primary School, username name, password *******, message= see e-mail ]](login/login_forgotten_password_enter_temp_password.png)
login_forgotten_password_enter_temp_password.png
Press Enter or the [OK] button, to enter the You have
to change your password now. dialogue:
![[ Exemplum Primary School, username name, password ******, new password *******, confirm new password ******* ]](login/login_forgotten_password_enter_new_password.png)
login_forgotten_password_enter_new_password.png
After clicking the [OK] button, the
Your password was
successfully changed. dialogue opens:
![[ Exemplum Primary school, pop up: success, message= succes ]](login/login_forgotten_password_successfull_change.png)
login_forgotten_password_successfull_change.png
In the pop up window, click [OK] to remove it and. Next, click [OK] and
enter enter the site. Go to My page, select admin.php and
you are in Website@School management.
You also receive an e-mail, confirming the change of your password.
Subject: One-time login code request
Date: Fri, 17 Dec 2010 22:33:18 +0100
From: Exemplum Primary School <webmaster@exemplum.eu>
To: w.bladergroen@exemplum.eu (Wilhelmina Bladergroen)
Your password has been changed.
The password change request was received
from address 172.17.2.23 on 2010-12-17 22:35:48.
Kind regards,
Your automated webmaster.
|
As you may have noticed, changing your password is, for security
reasons, a complicated process. It's easier to remember your secure
password, or humbly address the webmaster.
(top)
Below some of the most
common error messages during log in are summed up.
If you
have entered a wrong username/password combination, you receive an popup
window andwith an error message.
![[ Exemplum Primary School, pop up: invalid creentioals, message= invalid credentials ]](login/login_invalid_credentials.png)
login_invalid_credentials.png
NOTICE:
Do not try endlessly to find your forgotten password, but try to remember
it. After 10 attempts, you are taken to the Forgotten
your password? dialogue. See paragraph 3.
Forgotten your password? on renewing it.
The forgot
password procedure asks your username and email address. If you have
entered a wrong username/e-mail combination, you see an alert box with an
error message 'Invalid username and email address'. After pressing
the [OK] button to remove the alert, you get another chance to enter the
correct combination. The number of attempts is limited; by default you can
retry 10 times.
![[ Exemplum Primary School, pop up: invalid credentials, message= invalid credentials ]](login/login_too_many_attempts_forgot_password.png)
login_too_many_attempts_forgot_password.png
If you persist and enter an incorrect combination for the 11th time, you
will be locked out for a configuratble amount of time (default 8
minutes).
![[ Exemplum Primary School, pop up: invalid username, messge=invalid username ]](login/login_invalid_user_and_mail.png)
login_invalid_user_and_mail.png
After yet 10 more failed logins, you get:
![[ Exemplum Primary Schoo, pop up: too many attempts, messge= toom many attempts ]](login/login_too_many_attempts.png)
login_too_many_attempts.png
And if you persist, clicking the [ok] button:
![[ Exemplum Primary School, pop up: access denied, message= access denied ]](login/login_access_denied.png)
login_access_denied.png
This is a feature to protect Website@School against automated password
cracking attempts. Wait 8 minutes and try again.
When a login lasts
more than 24 hours, the user is automatically logged out:
![[ Exemplum Primary School, pop up: forcefully logged out, message= forcefully logged out ]](login/login_forcefully_logged_out.png)
login_forcefully_logged_out.png
Remove the pop up message and log in again. This feature can be set in
'Session expiry interval', see chapter Configuration Manager,
paragraph Site.
![[ Access denied, two links ]](login/login_access_disabled.png)
login_access_disabled.png
You probable have no or not enough permissions to enter Website@school
Management. Please use one of the links.
Another often occuring reason for this error is when the webmaster has
created your account, but forgot to give you (enogh) permissions to enter
Website@School management.
Some browsers
or some e-mail clients (?) have problems with the full URL of the one time
code. In that case you get the following message:
![[ Invalid one time code, please try again ]](login/login_invalid_one_time_code.png)
login_invalid_one_time_code.png
In this case, copy the second URL to your browser and copy & paste
the one-time code in the One-time code field.
(top)
To summarise this
chapter: it's
much easier to remember your password than to
change it.
(top)
Author: Dirk Schouten <schoutid (at) Knoware (dot) nl
>
Last updated: 2012-11-17