This repository has been archived by the owner. It is now read-only.

Security Settings Configuration

pmbanugo edited this page Sep 18, 2014 · 2 revisions

The SecuritySettings class provides settings to control various security options in MembershipReboot. They are:

  • MultiTenant (bool, default: false) : Allow more than one tenant?
  • DefaultTenant (string, default: "default") : Default tenant name used when no tenant is specified (used when MultiTenant is false).
  • EmailIsUsername (bool, default: false) : Email is used as the user's username.
  • UsernamesUniqueAcrossTenants (bool, default: false) : Username must be unique across all tenants (normally username is only unique within each tenant).
  • RequireAccountVerification (bool, default: true) : Email account must be verified before user can login.
  • AllowLoginAfterAccountCreation (bool, default: true) : User can login immediately after account has been verified. Setting this to false would require the application to have some approval process.
  • AccountLockoutFailedLoginAttempts (int, default: 10) : Number of failed password login attempts before the account is locked out.
  • AccountLockoutDuration (TimeSpan, default: 5 minutes) : Duration an account will be locked due to too many failed password login attempts.
  • AllowAccountDeletion (bool, default: true) : When account is closed, physically delete record from the database.
  • PasswordHashingIterationCount (int, default: automatic) : Number of iterations used to hash passwords. Value of "0" means to automatically calculate the number based upon OWASP recommendations for the year.
  • PasswordResetFrequency (int, default: disabled) : Number of days before passwords should be reset. Value of "0" indicates reset is not required.
  • VerificationKeyLifetime (TimeSpan, default: 20 minutes) : Verification key sent for password reset, change email and change mobile will only work from the time verification key is sent till this duration later.

These values can be defaulted via a custom configuration element in the configuration file:

<configuration>
  <configSections>
    <section name="membershipReboot" type="BrockAllen.MembershipReboot.SecuritySettings, BrockAllen.MembershipReboot" />
  </configSections>

  <membershipReboot 
       requireAccountVerification="true" 
       emailIsUsername="false" 
       multiTenant="false" 
       passwordHashingIterationCount="0" 
       accountLockoutDuration="00:01:00" 
       passwordResetFrequency="0" />
</configuration>

Alternatively, these values can either be set in code when creating the MembershipRebootConfiguration (which is needed by the UserAccountService).

//Ninject
var configuration = new MembershipRebootConfiguration
        {
            EmailIsUsername = true,
            MultiTenant = false,
            RequireAccountVerification = true,
            AllowLoginAfterAccountCreation = true
        };

configuration.ConfigurePasswordComplexity();//ensures proper password complexity

kernel.Bind<MembershipRebootConfiguration>().ToConstant(configuration);
kernel.Bind<UserAccountService>().ToSelf();

Or using the SecuritySettings class which then will passed to the MembershipRebootConfiguration class

SecuritySettings securitySettings = new SecuritySettings();
securitySettings.AllowLoginAfterAccountCreation = true;

var config = new MembershipRebootConfiguration(securitySettings);
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.