Security Settings
Field Description:
| Administrator Login (Hard-Coded) |
Administrator user id and password |
| Login Name |
Login Name for administrator |
| Password |
Password for administrator |
| Use Existing Table |
Link to existing table for login name and password validation |
| Table |
Existing table in database containing login name and password information |
| Login Name Field |
Login Name field in table used for authentication |
| Password Field |
Password field in table used for authentication |
| Login Options |
Login options in the login page:
Auto-login - Auto login until the user logout explicitly
Remember username - Save the user's user name in cookie
Always ask - Do not save user name and password, always ask for them in the login page |
Auto-login
ASPMaker supports auto-login. When you enable the auto-login feature, a few cookies will be placed on the user's computer to identify the user, meaning that the user do not have to type username and password every time he/she visit the site.
For this reason, you should advise your users not to use this feature on a public or shared computer, as any other user of the computer will be able to access the account.
Advanced Security
Advanced Security feature allows you to setup User ID, assign User
Levels to users and create a complete user registration system. To setup, click the [Advanced] button.
ASPMaker supports two types of security - User ID and User Level. User ID Security secures data at record level. User Level Security secures data at table level. They complements each other and they can work independently or together. Users get their User ID and User Level after login. Before login, their identities are unknown and they are Anonymous Users.
Anonymous User
The permissions for Anonymous users are defined in this form.
Steps to setup Anonymous User permissions:
- Click on Anonymous User in the left pane,
- Define the permissions for each table.
User ID
User ID Security secures data at record level. Protected tables must have an User ID field for identifying which user a record belongs to. The User ID field names can be different in tables though. When User ID security is enabled, users can only access their own data.
Steps to setup User ID security for different tables/views:
- Click on User ID in the left pane.
- Select the [User ID field] from your user table, this field is usually the primary key of the User Table. (Note: if this field is not set, the feature is disabled)
- (Optional) Select the [Parent User ID field] from your user table. Parent User ID field stores the parent User ID that the user belongs to, parent user can modify the child user's records. Parent User ID is hierarchical, parent users can access the records owned by the child users of their child users. (Note: if this field is not set, the Parent User feature is disabled.)
- In the [User
ID Field] column, select the User ID Field for the tables/views that requires User ID security.
- (Optional) Enable [Allow View All] if you allow all logged in users (not including Anonymous User) to list/search/view (but not add/copy/edit/delete) all records in the table.
User Level
User Level Security secures data at table level. Each user level is granted with specific permissions to tables in the database.
There are 2 types of User Level security:
1. Static User Levels - the User Levels and the permissions are defined in this form and the User Levels are not to be changed after script generation.
Steps to setup static User Level security for different tables/views:
- Click on User Levels in the left pane,
- Select an integer field in your user table as the [User Level field], (Note: if this field is not set, the feature is disabled)
- Define your user levels, click
 icon the add an user level and  icon to delete an user level.
2. Dynamic User Levels - the User Levels and the permissions are defined in 2 tables in the database, the User Levels can still be changed with the generated scripts.
Steps to setup static User Level security for different tables/views:
- Click on User Levels in the left pane,
- Select an integer field in your user table as the [User Level field],(note: if this field is not set, the feature is disabled)
- Switch to the [Dynamic User Levels] tab, check [Enable Dynamic User Levels],
- Select your User Level Table and User Level Permission Table and the required fields.
The User Level Table and User Level Permission Table must have the following fields, note the data types, User Level ID and the Permission fields must be of integer type, the field names can be different though:
If you want ASPMaker to create these 2 tables in your database, click the [Create tables] button, the following form will display for you to change the table/field names if necessary. You can change the table/field names and then click OK to continue.
If you have projects created by previous versions of ASPMaker you may want to use dynamic User Levels and migrate the previously defined static User Levels in the project to the database. After selecting or creating the User Level and User Level Permission tables/fields, just click the [Migrate] button to let ASPMaker do that for you.
After setting the user levels, ASPMaker will populate the user levels to the User Level field's Edit Tag (also see Field Setup) so administrators can assign user levels using the generated pages.
There are two built-in user levels:
Administrator - Administrator user level is a built-in user level that has all permissions plus the privileges to modify User IDs and User Levels. Its permissions are same as that of the hard-coded Administrator Login
Note: Even you enable all permissions for an user defined User Level, the User Level will NOT become same as this Administrator User Level. User defined User Levels will not have the permissions to manage users (although parent users has some limited control on their child users).
Default - Default user level is built-in user level with user level = 0. Since User Level field is an integer field, if you set a default value of 0 for this field, this user level will become the default user level for the user after registration and before the Administrator assigning another higher user level.
The Anonymous built-in user level in previous versions is deprecated. Use the new [Anonymous User] (see above) to configure permissions for users before login.
Notes: You may need to use the hard-coded Administrator Login to log on and assign user levels to users initially.
User Login Options
User Login Options allows you to create a complete user registration system for your Web site, with options
to let user register, change password and recover password.
| Login |
| Track failed attempts |
If enabled, number of failed login attempts (invalid password) will be tracked. If exceeded, the user will be locked out and the password must be reset.
|
| Maximum failed attempts |
The maximum number of failed login attempts |
| Failed attempts windows (minutes) |
The time window, in minutes, during which failed password attempts are tracked. |
| Disallow concurrent login |
If enabled, only one session is allowed for each user (except the hard-coded Administrator). If one user has already logged in, other users trying to login with the same username (and password) will be rejected.
Note: Users are distinguished by Session ID as recognized by the web server. If you login again with your PC in another window of the same browser or in just another tab of your browser, you can still login. If you login again with another browser or another PC, the Session ID will be different and the login will be rejected.
|
| Login status timeout (minutes) |
The number of idle minutes after which the login status will be considered as logged out and login will be allowed again.
If a logged-in user does not explicitly log out (for example, close the browser directly), the user session is not closed and the user's login status will remain as "logged in". Attempts to login again will fail. This timeout setting ensures login will be allowed again after a period of idle time.
|
| CAPTCHA (requires extension) |
Optionally requires user to type letters or digits from a distorted image that appears on the screen..
Note: CAPTCHA function requires CAPTCHA extension, click Tools->Extensions from the main menu to enable. Also see Third-party Tools.
|
| Password |
| MD5 password |
Use MD5 password
Note: If you enable MD5 password, make sure that the passwords in your user table are stored as MD5 hash (32-character hexadecimal number) of the clear text password. If you also use case-insensitive password, convert the clear text passwords to lower case first before calculating MD5 hash. Otherwise, existing users will not be able to login. MD5 hash is irreversible, password will be reset during password recovery.
|
| Case-sensitive password |
Use case-sensitive password |
| Enable password expiry |
If enabled, user password will expire after a period of time (except the hard-coded Administrator password) |
| Password expiry time (days) |
For use with Enable password expiry, user password will expire after the specified number of days |
| User Registration Page |
| Enabled |
Generate user registration page and add a link in login page. |
| Fields |
Select fields (from the user table) to show in the registration page. Click the [...] button the select the fields. |
| CAPTCHA (requires extension) |
Optionally let user view the input before submitting the registration form.
Note: CAPTCHA function requires CAPTCHA extension, click Tools->Extensions from the main menu to enable. Also see Third-party Tools.
|
| Confirm before submit |
Optionally send email confirmation after registration |
| Send email |
Optionally send email confirmation after registration |
| Requires activation |
Optionally requires user click an activation link in the email sent after registration to activate the user account.
Note: Send email must be enabled for sending the email with activation link.
|
| Auto login after registration/activation |
Optionally auto-login the user after registration or activation.
Note: Requires activation is enabled, the user is not activated yet after registration, auto login will be applied when the user clicks the activation link in the email.
|
| Change Password Page |
| Enabled |
Generate change password page |
| Send email |
Optional email confirmation after changing password |
| CAPTCHA (requires extension) |
Optionally requires user to type letters or digits from a distorted image that appears on the screen..
Note: CAPTCHA function requires CAPTCHA extension, click Tools->Extensions from the main menu to enable. Also see Third-party Tools.
|
| Password Recovery Page |
| Enabled |
Generate password recovery page (forgot password page) and add a link in login page. User name and password will be sent to the user's email address. |
| CAPTCHA (requires extension) |
Optionally requires user to type letters or digits from a distorted image that appears on the screen..
Note: CAPTCHA function requires CAPTCHA extension, click Tools->Extensions from the main menu to enable. Also see Third-party Tools.
|
| User Table Fields |
Email address field |
Email address field in user table used for sending email |
| Activated field |
Email activated field in user table used for storing the status of user. A boolean field is recommended, although an integer field or a string field will also work.
Notes:
- To enable user account activation, the Requires activation and Send email options under User Registration Page must be checked. The user needs to click an activation link in the email sent after registration to activate the user account.
- If enabled, make sure the activated field for existing users in your user table is updated with your activation values (e.g. True/False, 1/0, Y/N) or the existing users cannot login because they are not recognized as activated. You can enable Multi-Update feature for the user table so administrators can activate or deactivate existing users easily.
|
| Profile field |
A memo field for persisting all the additional user information. This field is required if the following options are used:
- Track failed attempts
- Disallow concurrent login
- Enable password expiry
|
The email sending function and the email contents can be customized in the template. The following special tags are used in the email templates:
<!--$From--> is sender email address
<!--$To--> is user email address
<!--$Password--> is user password
<!--FieldName--> (without the $ symbol) is the field value.
For example, <!--LastName--> is the field value of the field "LastName".
The email format can be either "TEXT" or "HTML". If you use HTML, change the line "Format: TEXT" to "Format: HTML" and enter HTML content below it.
You can also dynamically change the email by code using Email_Sending event before the email is sent. (See Server Events and Client Scripts)
Also See:
Tutorial - User ID Security
Tutorial - Static User Level Security
Tutorial - Dynamic User Level Security
Tutorial - User Registration System
|
