From d0249d8e9d433ac65d9cc06672dd90b24c91e0a7 Mon Sep 17 00:00:00 2001 From: Andy Butland Date: Tue, 21 Jan 2025 14:33:54 +0100 Subject: [PATCH 1/2] Updated security settings with additional configuration values --- .../configuration/securitysettings.md | 40 ++++++++++-------- .../configuration/securitysettings.md | 42 +++++++++++-------- 2 files changed, 48 insertions(+), 34 deletions(-) diff --git a/14/umbraco-cms/reference/configuration/securitysettings.md b/14/umbraco-cms/reference/configuration/securitysettings.md index 3f5aa901065..9738d58a578 100644 --- a/14/umbraco-cms/reference/configuration/securitysettings.md +++ b/14/umbraco-cms/reference/configuration/securitysettings.md @@ -72,6 +72,28 @@ The authentication cookie which is set in the browser when a backoffice user log This setting specifies whether the username and email address are separate fields in the backoffice editor. When set to "false", you can specify an email address and username, only the username can be used to log on. When set to "true" (the default value) the username is hidden and always the same as the email address. +### User default lockout Time + +Use this setting to configure how long time a User is locked out of the Umbraco backoffice when a lockout occurs. The setting accepts an integer which defines the lockout in minutes. + +The default lockout time for users is 30 days (43200 minutes). + +### Member default lockout time + +Use this setting to configure how long time a Member is locked out of the Umbraco website when a lockout occurs. The setting accepts an integer which defines the lockout in minutes. + +The default lockout time for users is 30 days (43200 minutes). + +### Allow concurrent logins + +When set to `false`, any user account is prevented from having multiple simultaneous sessions. In this mode, only one session per user can be active at any given time. This enhances security and prevents concurrent logins with the same user credentials. + +### User login duration + +Umbraco provides protection from user enumeration attacks looking to identify valid backoffice login accounts. It does this by attempting to equalize the time taken for successful and failed logins. + +The `UserDefaultFailedLoginDurationInMilliseconds` can be used to provide a more realistic expected time for a successful login if the default isn't appropriate. This will be used before actual successful logins are detected. `UserMinimumFailedLoginDurationInMilliseconds` provides a minimum duration for a failed login. + ## User password settings This section lets you define the password rules for users. @@ -109,20 +131,4 @@ Options are: ## Member password settings -This section allows you to define the password rules for members. This section is identical to the one for users. - -## User Default Lockout Time In Minutes - -Use this setting to configure how long time a User is locked out of the Umbraco backoffice when a lockout occurs. The setting accepts an integer which defines the lockout in minutes. - -The default lockout time for users is 30 days (43200 minutes). - -## Member Default Lockout Time In Minutes - -Use this setting to configure how long time a Member is locked out of the Umbraco website when a lockout occurs. The setting accepts an integer which defines the lockout in minutes. - -The default lockout time for users is 30 days (43200 minutes). - -## Allow concurrent logins - -When set to `false`, any user account is prevented from having multiple simultaneous sessions. In this mode, only one session per user can be active at any given time. This enhances security and prevents concurrent logins with the same user credentials. +This section allows you to define the password rules for members. This section is identical to the one for users. \ No newline at end of file diff --git a/15/umbraco-cms/reference/configuration/securitysettings.md b/15/umbraco-cms/reference/configuration/securitysettings.md index 3f5aa901065..9f6ffeff61b 100644 --- a/15/umbraco-cms/reference/configuration/securitysettings.md +++ b/15/umbraco-cms/reference/configuration/securitysettings.md @@ -38,7 +38,9 @@ A full configuration with all default values can be seen here: }, "UserDefaultLockoutTimeInMinutes": 43200, "MemberDefaultLockoutTimeInMinutes": 43200, - "AllowConcurrentLogins": false + "AllowConcurrentLogins": false, + "UserDefaultFailedLoginDurationInMilliseconds": 1000, + "UserMinimumFailedLoginDurationInMilliseconds": 250, } } } @@ -72,6 +74,28 @@ The authentication cookie which is set in the browser when a backoffice user log This setting specifies whether the username and email address are separate fields in the backoffice editor. When set to "false", you can specify an email address and username, only the username can be used to log on. When set to "true" (the default value) the username is hidden and always the same as the email address. +### User default lockout Time + +Use this setting to configure how long time a User is locked out of the Umbraco backoffice when a lockout occurs. The setting accepts an integer which defines the lockout in minutes. + +The default lockout time for users is 30 days (43200 minutes). + +### Member default lockout time + +Use this setting to configure how long time a Member is locked out of the Umbraco website when a lockout occurs. The setting accepts an integer which defines the lockout in minutes. + +The default lockout time for users is 30 days (43200 minutes). + +### Allow concurrent logins + +When set to `false`, any user account is prevented from having multiple simultaneous sessions. In this mode, only one session per user can be active at any given time. This enhances security and prevents concurrent logins with the same user credentials. + +### User login duration + +Umbraco provides protection from user enumeration attacks looking to identify valid backoffice login accounts. It does this by attempting to equalize the time taken for successful and failed logins. + +The `UserDefaultFailedLoginDurationInMilliseconds` can be used to provide a more realistic expected time for a successful login if the default isn't appropriate. This will be used before actual successful logins are detected. `UserMinimumFailedLoginDurationInMilliseconds` provides a minimum duration for a failed login. + ## User password settings This section lets you define the password rules for users. @@ -110,19 +134,3 @@ Options are: ## Member password settings This section allows you to define the password rules for members. This section is identical to the one for users. - -## User Default Lockout Time In Minutes - -Use this setting to configure how long time a User is locked out of the Umbraco backoffice when a lockout occurs. The setting accepts an integer which defines the lockout in minutes. - -The default lockout time for users is 30 days (43200 minutes). - -## Member Default Lockout Time In Minutes - -Use this setting to configure how long time a Member is locked out of the Umbraco website when a lockout occurs. The setting accepts an integer which defines the lockout in minutes. - -The default lockout time for users is 30 days (43200 minutes). - -## Allow concurrent logins - -When set to `false`, any user account is prevented from having multiple simultaneous sessions. In this mode, only one session per user can be active at any given time. This enhances security and prevents concurrent logins with the same user credentials. From 27f8e35d031624b21f39503b087c00d506337f51 Mon Sep 17 00:00:00 2001 From: Andy Butland Date: Wed, 29 Jan 2025 21:16:24 +0100 Subject: [PATCH 2/2] Aligned capitalisation --- 14/umbraco-cms/reference/configuration/securitysettings.md | 2 +- 15/umbraco-cms/reference/configuration/securitysettings.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/14/umbraco-cms/reference/configuration/securitysettings.md b/14/umbraco-cms/reference/configuration/securitysettings.md index 9738d58a578..88d0f252e1d 100644 --- a/14/umbraco-cms/reference/configuration/securitysettings.md +++ b/14/umbraco-cms/reference/configuration/securitysettings.md @@ -72,7 +72,7 @@ The authentication cookie which is set in the browser when a backoffice user log This setting specifies whether the username and email address are separate fields in the backoffice editor. When set to "false", you can specify an email address and username, only the username can be used to log on. When set to "true" (the default value) the username is hidden and always the same as the email address. -### User default lockout Time +### User default lockout time Use this setting to configure how long time a User is locked out of the Umbraco backoffice when a lockout occurs. The setting accepts an integer which defines the lockout in minutes. diff --git a/15/umbraco-cms/reference/configuration/securitysettings.md b/15/umbraco-cms/reference/configuration/securitysettings.md index 9f6ffeff61b..39d86bad5ba 100644 --- a/15/umbraco-cms/reference/configuration/securitysettings.md +++ b/15/umbraco-cms/reference/configuration/securitysettings.md @@ -74,7 +74,7 @@ The authentication cookie which is set in the browser when a backoffice user log This setting specifies whether the username and email address are separate fields in the backoffice editor. When set to "false", you can specify an email address and username, only the username can be used to log on. When set to "true" (the default value) the username is hidden and always the same as the email address. -### User default lockout Time +### User default lockout time Use this setting to configure how long time a User is locked out of the Umbraco backoffice when a lockout occurs. The setting accepts an integer which defines the lockout in minutes.