Increase login security

Abstract

How to secure the Sitecore login page by enforcing SSL, turning off autocomplete and not remembering the last user.

Applies to

Content Management or any core role where the client is available.

Sitecore Installation Framework

Login security tasks are not performed by default.

Azure Toolkit

Login security tasks are performed by default.

You can improve the security of the Sitecore login web page, in the following ways:

  • Make the login page available only to SSL requests.

  • Turn off autocomplete of user names

  • Disable the Remember me checkbox on the login page.

Make the login page available only to SSL requests

To configure the Sitecore Experience Platform to use only SSL requests for the Sitecore login page:

  • Create a custom redirect processor that redirects from http://hostname/sitecore/login to https://hostname/sitecore/login, and redirect all other pages from https to http.

Use the following code as an example:

public class SslLogin
{
    public void Process(PipelineArgs args)
    {
        string absUrl = HttpContext.Current.Request.Url.AbsoluteUri;
        string localUrl = HttpContext.Current.Request.Url.LocalPath;

        if (localUrl.StartsWith("/sitecore/login") && absUrl.StartsWith("http://") && !Context.IsLoggedIn)
        {
            HttpContext.Current.Response.Redirect(absUrl.Replace("http://", "https://"));
            return;
        }
        if (!localUrl.StartsWith("/sitecore/login") && absUrl.StartsWith("https://") && Context.IsLoggedIn)
        {
            HttpContext.Current.Response.Redirect(absUrl.Replace("https://", "http://"));
        }
    }
}

Turn off autocomplete for user names

You can specify that Sitecore does not complete the user name of users automatically when they log in. This is useful, for example, if you do not want user names to be disclosed when content authors log in to Sitecore on a shared or public computer. In addition, you can disable the Remember me check box.

To disable autocomplete for user names:

  • Open the sitecore.config file and set the Login.DisableAutoComplete setting to true. This disables auto complete on the Sitecore login forms on the /sitecore/login/default.aspx and /sitecore/admin/login.aspx pages.

To disable the Remember me check box on the login page:

  • On the Sitecore Identity Server role, open the sitecore/Sitecore.Plugin.IdentityServer/Config/identityServer.xml file and set the AllowRememberLogin setting to false. This also ignores any existing Remember me cookies, and all users have to log in again.

Disable the Remember Last Logged In User Name setting

As an additional defense in depth strategy, we recommend that you disable the browser’s ability to remember the user name of the last logged in user. To disable the Remember Last Logged In User Name setting:

  • Open the sitecore.config file and set the Login.RememberLastLoggedInUserName setting to false.