Increase login security

Abstract

Make the login page available to SSL requests only and turn off auto complete of user names.

You can improve the security of the Sitecore login webpage, in the following ways:

Make the login page available only to SSL requests

To configure the Sitecore Experience Platform to use only SSL requests for the Sitecore login page:

  • Create a custom redirect processor that redirects from http://hostname/sitecore/login to https://hostname/sitecore/login, and redirect all other pages from https to http.

    Use the following code as an example:

    public class SslLogin
    {
        public void Process(PipelineArgs args)
        {
            string absUrl = HttpContext.Current.Request.Url.AbsoluteUri;
            string localUrl = HttpContext.Current.Request.Url.LocalPath;
            if (localUrl.StartsWith("/sitecore/login") && absUrl.StartsWith("http://") && !Context.IsLoggedIn)
            {
                HttpContext.Current.Response.Redirect(absUrl.Replace("http://", "https://"));
                return;
            }
            if (!localUrl.StartsWith("/sitecore/login") && absUrl.StartsWith("https://") && Context.IsLoggedIn)
            {
                HttpContext.Current.Response.Redirect(absUrl.Replace("https://", "http://"));
            }
        }
    }

Turn off auto complete of user names

You can specify that Sitecore should not complete the user name of users automatically when they log in. This is useful, for example, if you do not want user names to be disclosed when content authors log into Sitecore on a shared or public computer. In addition, you can disable the Remember me check box.

To disable auto complete of user names:

  • Open the sitecore.config file and set the Login.DisableAutoComplete setting to true. This disables auto complete on the Sitecore login forms on the /sitecore/login/default.aspx and /sitecore/admin/login.aspx pages.

To disable the Remember me check box on the login page:

  • Open the sitecore.config file and set the Login.DisableRememberMe setting to true. This also ignores any existing Remember Me cookies, and all users have to log in again.

Disable the Remember Last Logged In User Name setting

As an additional defense in depth strategy, Sitecore recommends that you disable the browser's ability to remember the user name of the last logged in user.

To disable the Remember Last Logged In User Name setting:

  • Open the sitecore.config file and set the Login.RememberLastLoggedInUserName setting to false.