Authentication

A login form will be shown on index page if there is no active website, and will be shown on manage page if user is not logged in.

User can login using username or email address. If current domain is not bound to any subsystem, user can select the subsystem to login into. To hide subsystem selection, set property login.select.subsystem to false in conf/system.properties.

	login.select.subsystem=false
Clear cache under system module, and system.properties will be reloaded.

Password Encoding

Password is encoded using one-way MD5 hash. It is not possible to guess plain password from an encoded password.

Credential Cookie

If user chooses to remember credential so that the user can login automatically for subsequent HTTP sessions, a credential cookie will be created.
	cookie name: credential
	cookie value: username/double-encoded-password
The password is encoded twice using one-way MD5 hash, and it is not possible to guess plain password.

Cookie age can be configured in the ViewConfig of an embedded login object using parameter credential.cookie.age. Its value is a number of days. Default cookie age is 90 days.


	<viewConfig>
		<param name="credential.cookie.age" value="120" />
	</viewConfig>
The cookie expiration date will be refresh every time the cookie is used to authenticate user successfully. So the cookie will never expire if user accesses the system/subsystem before its expiration date.

The credential cookie will be removed in the following cases:

If user changes password, the credential cookie will become invalid. The cookie will be removed once the system fails to authenticate the user by the cookie.

Embed Login in Web Pages

See Embedded Objects.

Strong Password

Strong password can be enabled and password pattern can be configured in System Config.

Authorization

See Access Control.