Limiting Login Attempts
Secure passwords of CMS Console user accounts against dictionary attacks
By default, the user can try logging in to the CMS Console an unlimited number of times in C1 CMS.
You can however limit the number of failed login attempts:
- Edit
~/App_Data/Composite/Composite.config. - Locate this configuration element:
<Composite.C1Console.Security.Plugins.LoginProviderConfiguration defaultLoginProviderPlugin="DataBasedFormLoginProvider"> - Add an attribute "
maxLoginAttempts" setting its value to the maximum number of attempts you would like to limit CMS Console logins with, for example:<Composite.C1Console.Security.Plugins.LoginProviderConfiguration defaultLoginProviderPlugin="DataBasedFormLoginProvider" maxLoginAttempts="100"> - Save the file.
Now the user who exceeds the maximum number of login attempts will get locked out. When she or he tries to log in with the correct password, a message pops up: "The account was locked after maximum login attempts. Please contact administrator."
The administrator can unlock such a user account:
- Log in to the CMS Console with administrative permissions.
- In the "System" perspective expand "Users and Permissions" / "Users" / (a folder the user account is in, if any).
- Locate and edit the locked out user. (Normally, the locked out user account has a different (grayed) icon.)
- Uncheck the "Is Locked" option.
- Save the changes.
Now the user can log in with her or his correct password.
Note. The administrator can manually lock a user account out by checking the "Is Locked" option. In this case, a different alert will be displayed: "The account was locked by an administrator".
Requirements
C1 CMS version 4.3 or later