Security and Session Preferences

This section of the Control Panel allows you to define the basic security-related settings for your website. These are security settings that apply throughout the website/system.

Main Screen

The main Security Settings screen shows a table of the preferences. All the security setting preferences are set via this screen.

All preferences in this area of the Control Panel are required fields unless otherwise indicated.

Security Settings main screen, Part 1

Control Panel Session Type

This determines how sessions are handled for the Control Panel. You may use cookies, session IDs, or a combination. The available options are:

  1. Cookies and session ID: Both cookies and URL session ID parameters are used to track the admin user. This is the default setting.
  2. Cookies only: Only cookies are used to track the admin user.
  3. Session ID only: Only URL session IDs are used to track the admin user.

User Session Type

This determines how sessions for regular users on your website are handled. You may use cookies, session IDs, or a combination. The available options are:

  1. Cookies and session ID: Both cookies and URL session ID parameters are used to track the user throughout their visit.
  2. Cookies only: Only cookies are used to track the user throughout their visit. This is the default setting.
  3. Session ID only: Only URL session IDs are used to track the user throughout their visit.

Process Form Data in Secure Mode?

This setting determines how form data is processed. When this preference is set to "Yes", forms are processed in Secure Mode. This setting is designed to deter automated spam attacks as well as multiple accidental submissions. Enabling this feature does add one additional database query for each form submission.

Deny Duplicate Data?

This option prevents data submitted by users (such as comments or trackbacks) from being processed if it is an exact duplicate of data that already exists. This setting is designed to deter automated spam attacks as well as multiple accidental submissions.

Allow members to change their username?

As the name suggests, this setting determines whether or not members are allowed to change their "username" after they register. Members will always be able to change their "screen name" if they choose to use one.

Allow Multiple Accounts Using the Same Email Address?

You can choose whether or not you want to allow members to use the same email address to register more than one account. If this preference is set to "No" then a unique email address will be required for every account.

Allow Multiple Log-ins From a Single Account?

This setting determines whether more than one person can simultaneously access the system using the same user account. i.e. Can the same member account be used simultaneously by more than one person. Note: If the Session Type above is set to "Cookies Only" this feature will not work.

Require IP Address and User Agent for Login?

If this preference is set to "Yes", then users will not be able to log in unless their browser (or other access device) correctly supplies their IP address and User Agent information. Having this set to "Yes" can help prevent hackers from logging in using direct socket connections.

Security Settings main screen, Part 2

Enable Password Lockout?

When this preference is set to "Yes", the system will lock a member account if more than four invalid login attempts are made within a specified time period (see next setting). This preference is designed to deter hackers from using collision attacks to guess poorly chosen passwords. The account remains locked for the duration of the time period. Once the period expires it becomes unlocked.

Time Interval for Lockout

This setting is used together with the previous preference. Here you can determine, in minutes, the time interval over which more than four invalid login attempts will trigger a lockout. You may use decimals to indicate fractions of a minute: e.g. 1.5 equals one and a half minutes.

Require Secure Passwords?

If this preference is set to "Yes", then users will be required to choose a minimally "secure" password. In this case, a password containing at least one uppercase character, one lowercase character, and one numeric character. Passwords that follow this basic formula are much more difficult to guess.

Allow Dictionary Words as Passwords?

Setting this preference to "Yes" will prevent users from being able to use words and names that are contained within a specified dictionary file as their password. This will make "dictionary attacks" by hackers much more difficult. Note: In order to be able to use this setting you must have a dictionary file installed for the system.

Name of Dictionary File

This is the filename of the dictionary file used for the previous preference.

Minimum Username Length

You may specify the minimum length required for a member username during new member registration. Specify the minimum number of characters required.

Minimum Password Length

You may specify the minimum length required for a member password during new member registration. Specify the minimum number of characters required. It is common practice to require passwords at least eight (8) characters long.