Increase login security
Applies to |
Content Management or any core role where the client is available. |
Sitecore Installation Framework |
Login security tasks are not performed by default. |
Azure Toolkit |
Login security tasks are performed by default. |
You can improve the security of the Sitecore login web page, in the following ways:
-
Make the login page available only to SSL requests.
-
Turn off autocomplete of user names
-
Disable the Remember me checkbox on the login page.
Make the login page available only to SSL requests
To configure the Sitecore Experience Platform to use only SSL requests for the Sitecore login page:
-
Create a custom redirect processor that redirects from
http://hostname/sitecore/login
tohttps://hostname/sitecore/login
, and redirect all other pages fromhttps
tohttp
.
Use the following code as an example:
public class SslLogin
{
public void Process(PipelineArgs args)
{
string absUrl = HttpContext.Current.Request.Url.AbsoluteUri;
string localUrl = HttpContext.Current.Request.Url.LocalPath;
if (localUrl.StartsWith("/sitecore/login") && absUrl.StartsWith("http://") && !Context.IsLoggedIn)
{
HttpContext.Current.Response.Redirect(absUrl.Replace("http://", "https://"));
return;
}
if (!localUrl.StartsWith("/sitecore/login") && absUrl.StartsWith("https://") && Context.IsLoggedIn)
{
HttpContext.Current.Response.Redirect(absUrl.Replace("https://", "http://"));
}
}
}
Turn off autocomplete for user names
You can specify that Sitecore does not complete the user name of users automatically when they log in. This is useful, for example, if you do not want user names to be disclosed when content authors log in to Sitecore on a shared or public computer. In addition, you can disable the Remember me check box.
To disable autocomplete for user names:
-
Open the
sitecore.config
file and set theLogin.DisableAutoComplete
setting to true. This disables auto complete on the Sitecore login forms on the/sitecore/login/default.aspx
and/sitecore/admin/login.aspx
pages.
To disable the Remember me check box on the login page:
-
On the Sitecore Identity Server role, open the
sitecore/Sitecore.Plugin.IdentityServer/Config/identityServer.xml
file and set theAllowRememberLogin
setting tofalse
. This also ignores any existing Remember me cookies, and all users have to log in again.
Disable the Remember Last Logged In User Name setting
As an additional defense in depth strategy, we recommend that you disable the browser’s ability to remember the user name of the last logged in user. To disable the Remember Last Logged In User Name
setting:
-
Open the
sitecore.config
file and set theLogin.RememberLastLoggedInUserName
setting tofalse
.