SA and Cookies

Hi all - I am encountering a problem with a site that I am setting up a user registration system on. I am thinking that the problem has to do with the cookies.

I am now testing the user registration system generated by SA. In a security test, I entered the wrong user name to see how SA would react.......I was locked out. When I clicked on the login link, I was immediately directed to the "Access Denied" page and wasn't allowed to attempt to log in. I tried the same procedure with Firefox (because it is easier to delete individual cookies).....got locked out and when I deleted the cookie from my website, I was allowed to log in again. That is how I discovered what caused the problem. I do also own the Cookie Toolkit but am not sure if it is what I need to fix the problem.

Now.....I want to set up the registration system to allow for at least 3 tp 5 attempts without the immediate lockout. Do I delete the cookies displayed under server behaviors and recreate them? Will the Cookie Toolkit offer me the option to set the number of attempts?
When I tried the "Display cookie" function, I got an error message (I assume from SA) saying that "making this change would require changing code that is locked by a template or translator" and I don't really understand this.

The reason you are denied access when entering the wrong username with the cookie being set is because of the auto login option. When this option is checked it will store the posted username and password in a cookie then attempt to login the user if they are not already logged in. Since these cookies have a value the script is attempting to auto log you in based on the values in the cookies. When you get the redirected to a restricted page you will be denied.

One way that you can get around this problem would be to set the failed redirect for the auto login to a page that unsets the cookies. Once these cookies have been unset you can attempt to login again.

If you wanted to make it like you have stated to allow a few login attempts you could record the number of times the user hits the failed redirect page that is resetting the cookie using an insert, and a recordset to count the number of entries for that user. If the count is greater than your limit then don't reset the cookie.

The error about the code being locked in the template is a problem that occurs from time to time when you attempt to insert server behaviors into a page derived from a template. Some ways to get around this are to temporarily detach the page from the template and add the server behavior, then re-attach the template. You can also apply the server behavior to another page and cut and paste it to your target page. Sometimes just restarting DW and trying it again will work also.

Thanks for you reply - that answers all my questions. I have added a server behavior on the redirect page to reset those values.

Your welcome, hopefully others that are trying to do something similar will be able to use this also.

I have a login issue very similar to the subject of this thread ... a few of our users have encountered it in the last week.

When a user mistakenly tries to login to our site without having previously registered, security assist is set to redirect to login.php?failedLogin=1 - proper error statement displays and user retries. However, if that same non-registered user checks "remember my information" and "login automatically" and tries to login, security assist is set to redirect to login.php?failedLogin=1&failed_auto=1 - resulting in a 310 error : too many redirects.

How do I remedy the situation? How do I tell the user, without looping through the failed login, that their info is not in the database?

go to the bindings panel and click the plus button, select URL Variable ands name it:
failedLogin

then add a set cookie value behavior for the auto login in cookie to reset it;s value to 0, for the trigger, click the lightning bolt icon, and select the failedLogin url variable.


you can also do the same for the username cookie, the password cookie and the remember me cookie.

Jason, on my login.php I have 2 Set Cookie Values already for each RememberMeUN, RememberMePWD, AutoLoginPWD and AutoLoginUN - the first has no set value, while the second is Log_In_group_Email/Password dependent. I am not to edit either of these, but to instead add another Set Cookie Value for each as described? I tried just that but had no luck with the looping issue. I have zipped the file in case you have a moment to investigate.

In the save for settings, set the number of days to 0 or a negative number.

also, leave the value blank instead of using 0.

That seems to have done it ... many thanks for the speedy reply, as always!