DEPRECATION WARNING
This documentation is not using the current rendering mechanism and is probably outdated. The extension maintainer should switch to the new system. Details on how to use the rendering mechanism can be found here.
EXT: Improved Login¶
| Author: | Christopher |
|---|---|
| Created: | 2010-12-18T19:57:23 |
| Changed by: | Markus Kappe |
| Changed: | 2011-12-07T12:35:02.210000000 |
| Classification: | beko_improved_login |
| Keywords: | forDevelopers, forBeginners, login |
| Author: | Markus Kappe |
| Email: | markus.kappe@dix.at |
| Language: | en |
EXT: Improved Login¶
Extension Key: beko_improved_login
Language: en
Keywords: forDevelopers, forBeginners, login
Copyright 2011-now, Markus Kappe, <markus.kappe@dix.at>
This document is published under the Open Content License
available from http://www.opencontent.org/opl.shtml
The content of this document is related to TYPO3
- a GNU/GPL CMS/Framework available from www.typo3.org
Table of Contents¶
`EXT: Improved Login 1 <#__RefHeading__5708_1738894311>`_
`Introduction 3 <#__RefHeading__1023_1410200298>`_
`Screenshots 4 <#__RefHeading__1041_1410200298>`_
`Users manual 5 <#__RefHeading__1043_1410200298>`_
Domain and IP blacklist/whitelist 5
`Adminstration 6 <#__RefHeading__1073_1410200298>`_
`Known problems, FAQ 10 <#__RefHeading__1123_1410200298>`_
`To-Do list 11 <#__RefHeading__1127_1410200298>`_
`Changelog 12 <#__RefHeading__1131_1410200298>`_
`Credits 13 <#__RefHeading__1135_1410200298>`_
Introduction¶
What does it do?
- The beko_improved_login Extension adds a couple of features to the felogin Extension.
- A logged in backend user can normally just simulate one user group in the FE, this extension allows the BE user to simulate that he is in all FE groups. This feature can be easily enabled/disabled
- If someone tries to access a restriced page he gets redirected to the login page
- Blacklist/Whitelist FE user logins by domain and/or IP address
- Logging of successful/failed logins (also available as csv export)
- Keeping track of failed logins and informing the admin if to many (configurable) login failures happened (an option even allows to disable the account after a specified number of failed logins)
- Supports saltedpasswords
Screenshots¶
Users manual
------------
BE user FE all group¶
This feature allows a backend user (who has to be logged in) to see all pages in the frontend – even if they are restricted to different user groups. So far the user had to simulate one group after another – now, he sees them all right from the beginning.
This is very useful for administrators and backend users who are allowed to see all pages. Please note that this extension should be disabled if you have backend users which have access restrictions (i.e. a user in project X has BE restriced access to the pages belonging to project X. The pages are also access restriced in the frontend. With the feature turned on, the user would also see project z in the frontend!)
Domain and IP blacklist/whitelist¶
If you need to ban FE user login from specific domains or IP's (i.e someone tried to guess users's passwords) then you can use this feature.
The IP blacklist/whitelist allows the * as wildcard for IP Ranges, the domain blacklist/whitelist doesn't.
A whitelist entry overrules a blacklist entry!
Login logging¶
Each login attempt will be logged. The log doesn't only store success/failed information, it also stores the IP address and a login note if the IP was on the blacklist/whitelist. The log can be viewed in the backend and the entries can be exported as csv. In the log viewer you ca also select “inactive” users which only covers FE users who never attempted a login.
A limit for failed logins can be set after which a list of administrators is informed by e-mail. Another limit can be set that will disable the account after a number of failed logins.
Note : If a login fails for any reason the user doesn't get informed why the login failed! If someone tries to break into to system via password guessing (or a former employee who might want to damage something) he doesn't know why he fails. If they want to guess passwords all night long let them – after 5 (default) failures we don't care anymore since the user is locked anyway. The only threat in the disable feature: a person who knows the usernames can lock them all down (but then we still got his/hers IP). If a valid user fails the login for a couple of times he will call the admin anyway and he can take a look into the log (maybe the user was accidentally on the blacklist by IP range)
Note for the cleanup tool : The cleanup tool allows you to delete log entries older then a specified period. If you do the clean up please be aware that any information about “successful” or “unsuccessful” attempts also get deleted – which can result in incorrect display of “inactive users”. Example: If you delete log entries older then 1 month then every user that hasn't tried to login within the last month will be shown as “inactive”.
Redirect after login¶
This feature is not used anymore because the “felogin” handles this very good
Adminstration¶
The administration happens in two places. First in the Configuration of the extension (settings like the blacklist/whiteist) and in TypoScript (Mailtemplate). See Configuration for more information
Update¶
Version 2.0.0 of this extension is compatible to version 1.2.4 with this exceptions:
Of course felogin is now used instead of newloginbox. Update your login content elements and delete the newloginbox extension.
The field for the “ redirect on login ” in the fe_groups table, which was added in the earlier versions, does not exist anymore. Instead of it the according field from the felogin extension is used. So before you upgrade the extension, check your fe_groups table and move the data to the field belonging to the felogin extension.
Formerly there has been a Page TS option to define the login page. Now this configuration is located within the extension manager [ loginPid ]. If you have ever used this option, make sure to enter the right page ID. You can delete the Page TS option
Configuration¶
Step 1 : install and configure the felogin extension
Step 2 : install the beko_improved_login extension
After you installed the extension go to the Extension Manager and click on the extension. The next page shows you the following configuration:
[enableFEAllGroups]¶
Property
[enableFEAllGroups]
Data type
boolen
Description
If activated, a backend user will have access to all pages that are restricted to specific FE user groups (this allows admins to preview pages without the need to login first).
Note: if you have a website with different BE users that are restricted to various areas then disable this feature! If you keep it enabled a logged in BE user surfing the FE would also see the other pages (afterall it's called BE User FE ALL groups).
This setting is best used if you just have admins (or users that should see everything) for the BE and FE users who should only see specific restriced pages.
Default
0 - disabled
[ip_blacklist]¶
Property
[ip_blacklist]
Data type
string
Description
Enter the blacklist for IP's seperated by ,(comma). IP ranges are supported. E.g. 127.0.0.*, 192.168.123.100.
Note: A blacklisted entry can be overruled by a whitelist entry
Default
[ip_whitelist]¶
Property
[ip_whitelist]
Data type
string
Description
Enter the whitelist for IP's seperated by ,(comma). IP Ranges are supported. E.g. 127.0.0.1, 192.168.123.*
Note: A whitelist entry overrules a blacklist entry
Default
[domain_blacklist]¶
Property
[domain_blacklist]
Data type
string
Description
Enter the blacklist for Domain's seperated by ,(comma). Wildcards are NOT supported. E.g. www.myhost.tld,www.myotherhost.tld
Note: A blacklisted entry can be overruled by a whitelist entry
Default
[domain_whitelist]¶
Property
[domain_whitelist]
Data type
string
Description
Enter the whitelist for Domain's seperated by ,(comma). Wildcards are NOT supported. E.g. www.myhost.com ,www.myotherhost.tld
Note: A whitelist entry overrules a blacklist entry
Default
[failed_logins_admin]¶
Property
[failed_logins_admin]
Data type
integer
Description
Enter the number of allowed login failures before the administrator is informed.
Default
3
[failed_logins_lock]¶
Property
[failed_logins_lock]
Data type
integer
Description
Enter a number of allowed failed logins before the user is locked.
Note: Although this is a nice security feature (if someone tries to login as a specific user he has 5 tries to get the password right) this is also a little pitfall. Someone who knows the usernames can “use” this feature to lock accounts (the IP is locked for every login attempt)
Default
5
[cvs_export_lines]¶
Property
[cvs_export_lines]
Data type
integer
Description
Enter the number of records which shall be exported via cvs. Leave empty for no limit.
Default
[cvs_export_utf8toiso]¶
Property
[cvs_export_utf8toiso]
Data type
boolean
Description
Older versions of Excel seems to have problems with special characters in UTF8 cvs files. If you expierence problems with them enable the conversion and try again.
Default
0 – disabled
[log_lines]¶
Property
[log_lines]
Data type
integer
Description
Enter the number of records to list in the backend when showing the log (this applies to "Successful Logins", "Failed Logins" and "Inactive Users".
Default
50
[admin_list]¶
Property
[admin_list]
Data type
string
Description
Enter e-mail addresses (seperated by comma) of the person(s) who shall be informed by failed logins according to the rules above
Default
[sender_name]¶
Property
[sender_name]
Data type
string
Description
The sender name which shall be used for the e-mails
Default
Front End User Counter
[sender_e-mail]¶
Property
[sender_e-mail]
Data type
string
Description
The sender e-mail address which shall be used for the e-mails.
TEST EMAIL BEFORE USE IN PRODUCTION. Note that it is possible that the mail is filtered by your spam protection when the mailbox does not exist.
Default
[loginPid]¶
Property
[loginPid]
Data type
integer
Description
If a user tries to access a restriced page without beeing logged in at this time, he will be directed to the login page identified by this page ID. If none is specified it will try to autodetect the login page (which is probably enough most of the times)
Default
0
Step 3 : Configuring the TypoScript
The TypoScript configuration is only extending the localization labels of the felogin extension.
Example :
plugin.tx_felogin_pi1._LOCAL_LANG.default {
email_subject_inform = - FE User exceeded max. failed logins.
email_subject_lock = - FE User locked due to failed logins.
email_text (
Dear Administrator,
The user ###username### has made ###failurecount### login failures and exceeded the limit of ###maxfailures###.
)
email_text_lock = The user also exceeded the locking limit of ###maxfailures_lock### and the account will
be set to hidden.
}
plugin.tx_felogin_pi1._LOCAL_LANG.de {
email_subject_inform = - zuviele fehlgeschlagene Loginversuche (FE User)
email_subject_lock = - FE User gesperrt wegen zuvielen fehlgeschlagenen Logins
email_text (
Sehr geehrter Administrator,
Der User ###username### hat ###failurecount### erfolglose Einlogversuche unternommen und damit das limit von ###maxfailures### ueberschritten.
)
email_text_lock = Der User hat auch das Account Sperr Limit von ###maxfailures_lock### ueberschritten und wird somit gesperrt (auf hidden gesetzt).
}
Tutorial¶
Enabling/Disabling the BE User FE all group function
All other features of this extension are as easy configurable as the
BE user FE All groups.
Known problems, FAQ¶
The feature “redirect to the login page when a user is not logged in and tries to access a protected page” extends the class tslib_fe. To do so the code from the TYPO3 core version 4.5.8 is used. Maybe this it is not compatible with other (older) versions of TYPO3.
You can enter only ONE loginPid, which can lead to problems when you got more than one page tree.
It is possible that the mail (after [failed_logins_admin] login failures) is filtered by your spam protection when the mailbox of the sender does not exist.
After trying to access a restricted page you get redirected to the login form. After a successful login you should get redirected to the protected page, but you stay on the page with the login form. This can have several reasons:
- You enabled the option “Display Logout Form After Successful Login” in the felogin plugin
- The user has no access to the page, although he has logged in successfully
- The redirect mode in the felogin plugin means something other than “follow the redirect_url”. Read the manual of the felogin extension if you are not sure what option fits your needs.
Login Counter does not count up. Possible Reasons:
- DB update upon installation not executed
- Cache not cleared (temp_CACHED_*) after installation
- You have an other Extension installed, that extends felogin (xclass)
Log keeps empty. Possible reasons
- DB update upon installation not executed
- Cache not cleared (temp_CACHED_*) after installation
- You have an other Extension installed, that extends tslib_fe (xclass)
To-Do list¶
Nothing at the moment
Ideas:
- Enforce password complexity (dictionary, character classes, length)
- Expire password after xx days
- Keep track of changed passwords to prevent using the same password twice
- Log all email addresses that are entered in the “forgot password” dialog
Changelog¶
See file “ChangeLog” in extension directory.
Credits¶
Credits go to Jürgen Unfried and Clemens Prerovsky for developing this extension in the first place.