EWeb Login - Technical Information
An eWeb User is someone who authenticates in eWeb or xWeb (via the WebLogin web method). In order to perform any significant transactions, such as updating or adding personal information, or any kind of eCommerce transaction, a user must login.
All eWeb Users are Customers in NetForum, either an Individual or an Organization. Generally, most instances of netFORUM provide only for Individuals to login.
See User page for a more detailed summary of an eWeb user, along with comparisons of eWeb Users with other kinds of users in netFORUM.
Username and Password
For username topics, see UseEmailForAuthorization system option.
For password topics, see HashPassword.
Customer passwords are stored in co_customer.cst_web_password. In baseline NetForum there are restrictions on setting strong passwords (i.e., length, numbers, letters, upper or lowercase, etc.). Refer topic Enhanced eWeb Password Security for more information.
A system option, PasswordRegex, to include password restrictions is available for PCI compliance.
In order for eWeb to check customer passwords during login the appsettings <verifypassword> needs to be set to true in the eweb web.config.
<add key="verifyPassword" value="true"/>
Sometimes this setting is set to false during development, but it must be changed to true leading up to go-live.
It is technically possible for more than one individual to have the same email address (see Email Address uniqueness for more). And it's possible for those individuals to have the same password, which could happen if a person happens to add a duplicate record for him or herself and enters the same favorite password for each of these individual records. When logging in, NetForum will find the first customer record that matches the same username / password combination entered by the user.
If you want to find records with the same username / password combination, here is a SQL script that identifies them:
SELECT [c1_key] = cst1.cst_key,
[c2_key] = cst2.cst_key,
[c1Name] = cst1.cst_sort_name_dn,
[c2Name] = cst2.cst_sort_name_dn,
[c1Email] = cst1.cst_eml_address_dn,
[c1Password] = cst1.cst_web_password,
[c2Email] = cst2.cst_eml_address_dn,
[c2Password] = cst2.cst_web_password
FROM
co_customer cst1 (NOLOCK)
JOIN co_customer cst2 (NOLOCK)
ON cst1.cst_eml_address_dn = cst2.cst_eml_address_dn
AND cst1.cst_eml_address_dn IS NOT NULL
AND cst2.cst_eml_address_dn IS NOT NULL
AND cst1.cst_web_password IS NOT NULL
AND cst2.cst_web_password IS NOT NULL
AND cst1.cst_web_password = cst2.cst_web_password
AND cst1.cst_key <> cst2.cst_key
ORDER BY cst1.cst_web_password
New Visitor Registration
See main article for explanation of how new users can register or sign up on the eWeb website.
Forget Password
See main article for baseline Forget Password functionality.
Change Password
See main article for baseline Change Password functionality.
Remember Me Checkbox
The remember me checkbox appears on eWeb login pages as long as the rememberMe attribute in the /eweb/web.config file is set to true.
If the user logs in and checks this checkbox, then a cookie is set on the user's computer that will allow them to bypass the login should they return to a eWeb page later on that requires login. See EWebLoginByCustomerKeyCookieName for more on the cookie.
If the user goes directly to the login page, however, they will see the login page; it will not say "Welcome Back, John!"
RememberMe Web.Config Setting
In /eweb/web.config, set the <rememberMe> setting to true to enable the Remember Me checkbox to display.
<appSettings>
....
<add key="rememberMe" value="true"/>
</appSettings>
Cookie Settings
If a user checks the remember me checkbox, then a cookie called <<sitename>>login will be set where <<sitename>> is the value of the Site parameter (which is based on a Web Site) where that login page exits. In this example, the "Site" code is Avectra so the cookie name is avectralogin. Observe how the "content" of the cookie shows the username of the user who just logged in. If this user later lands on a page that requires login, then the user authentication logic in eWeb will look to the cookie, even if I land on a page that requires login with a different eWeb Site. The expiration date of the cookie is currentdate + 1 year.
If I do not check this checkbox, or if I click the Logout link, then the content of this cookie is empty:
The value of the <<sitename>>pw cookie will be an encrypted version of the password the user entered. The combination of <<sitename>>login and <<sitename>>pw will be used to authenticate the user into eWeb.
Implementing Custom Post Login Tasks
Beginning in 2006.02.09, you now have the ability to implement special routines that will fire after a user has been logged in. You can run your own .NET code to set cookies, session variables, etc.
To do this, you must add a system option named ClientAfterLoginActions if it does not already exist, and enter the name of your assembly, namespace, and public void method name, separated by the pipe character, such as this:
ABCeWeb|ABCeWeb.ClientAfterLoginTasks|ExecAfterLoginJobs
Here is the form the code might take, for example, to write a domain cookie after a successful login:
using System;
using System.Data;
using System.Configuration;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;
using System.Reflection;
using Avectra.netForum.Common;
namespace ABCeWeb
{
public class ClientAfterLoginTasks
{
public void ExecAfterLoginJobs()
{
if (HttpContext.Current.Session["CustomerEMail"] == null ||
UtilityFunctions.EmptyString(HttpContext.Current.Session["CustomerEMail"].ToString()))
return;
HttpCookie oDomainCookie = new HttpCookie("customeremail");
oDomainCookie.Name = "customeremail";
oDomainCookie.Value = HttpContext.Current.Session["CustomerEMail"].ToString();
oDomainCookie.Domain = "abcnetforum.com";
if ((HttpContext.Current.Request["eWebLoginControl:CheckBoxRememberMe"] != null &&
HttpContext.Current.Request["eWebLoginControl:CheckBoxRememberMe"].ToString() == "on") ||
(HttpContext.Current.Request["eWebLoginControl$CheckBoxRememberMe"] != null &&
HttpContext.Current.Request["eWebLoginControl$CheckBoxRememberMe"].ToString() == "on"))
oDomainCookie.Expires = System.DateTime.Now.AddYears(1);
HttpContext.Current.Response.Cookies.Add(oDomainCookie);
}
}
}
Implementing CustomLoginMethod
If you set a value for the CustomLoginMethod attribute in the /eweb/web.config, this code will fire when a session starts, only if the customer is not logged in yet. Example:
<add key="CustomLoginMethod" value="ABC_Auth|Avectra.netForum.Clients.ABC.Authentication|Login|String:test"/>
The format is Assembly|Namespace|Method|Parameters
- Assembly: enter the name of the .NET Assembly that contains your method. Typically this Assembly will be for a project type of Class Library.
- Namespace: enter the namespace in which your method exists.
- Method: The method must be a public method. Typically it will be a void because netFORUM doesn't do anything with a return variable; it expects your code to log in the user. If your code cannot log in a user, that's fine, netFORUM will just proceed and assume the user is an unauthenticated anonymous user.
- Parameters(s) (if any) are in name : value pair(s), pairs separated with semicolons, e.g.:
Name1:Value1;Name2:Value2
In your custom code, you can log in a customer with your own programming if you want to bypass the standard NetForum login prompt page. For example, perhaps some other application handles authentication and writes a domain cookie with the customer key in it. Your code could look for this cookie, read the value, and log the user in programmatically. Your code should not have any UI elements. It is intended to be used for behind-the-scenes code to identify who the user is.
Assuming you can identify the user, your code must call one of the NetForum eWeb Login Methods to authenticate the user to eWeb (which runs various business logic essential to eWeb). These methods will return a bool indicating if the user could be authenticated and logged in. You can then run other code based on this return value and then your method should end. NetForum instantiates your code and runs it by reflection.
After you build your assembly, you must deploy it to the /eweb/bin/ folder on the webserver.
Custom Logoff
Here are three techniques to implement a log out feature in eWeb.
Logout.aspx Page
Send the user to this page, substituting mysite with the real address (or use a relative URL), TheSiteCode for the eWeb site, and the WebKey of your logout page (see below):
https://mysite/eWeb/Logout.aspx?Site=TheSiteCode&WebKey=zzzz
The WebKey is generated by the baseline CMS web link for a "logout" page which should have Logout.aspx for the page name.
Alternately, instead of WebKey, use the WebCode for the logout page.
For reference, the baseline Logout link in CMS web sites uses a CMS Site Link that generates a URL like the one above.
StartPage.aspx with Logoff
Send the user to StartPage.aspx with this parameter value:
Alternately, you can redirect the browser's address to:
StartPage.aspx?logoff=y
That querystring parameter will log the user out (by running essentially the same code as described below).
Logout in Code
If you want to implement a custom log off method in .NET, the way to do this is to blank out the values of two specific cookies that eWeb sites use for authenticating:
if (Session["eWebSiteID"] != null)
{
HttpCookie CookieLogin = new HttpCookie(Session["eWebSiteID"].ToString()+"login");
CookieLogin.Expires = System.DateTime.Now.AddYears(1);
HttpCookie CookiePW = new HttpCookie(Session["eWebSiteID"].ToString()+"pw");
CookiePW.Expires = System.DateTime.Now.AddYears(1);
CookieLogin.Value = "";
CookiePW.Value = "";
Response.Cookies.Add(CookieLogin);
Response.Cookies.Add(CookiePW);
}
Related system options:
- EWebLoginByCustomerKeyCookieName
- EWebLoginByCustomerIDCookieName
- EWebLoginByCustomerKeyPasswordCookieName
- Default Web User - A specialized customer with customer key 00000000-0000-0000-0000-000000000000