Security
The CMS provides a secure system allowing you to access Intranets, extranets and the site administration system while providing protection for access by phishing, man-in-the-middle and brute force attacks. Sitekit takes security seriously and we play our part. You should take it seriously also and both protect your credentials and instigate a strong password policy. The CMS helps you do this.
The following section explains the logic in use, this was substantially revised in the 10.5 release
- When a user successfully logs in on a device, A cookie is dropped and that device is logged as a valid device for the user to login on.
- If the user later tries and fails to login on that same device, they can retry as often as they like. The response to failed login is neutral with no indication of cause. The wait period for the fail response is random and can be as long as 10 seconds, this is a recognised defence against programmatic brute force attacks
- If the user fails to log in five times on a new device, without ever having successfully logged in on that device, the following occur
- the account is disabled for 10 minutes.
- The failure appears in the audit trail
- An email is sent to the account owner with a reset option
All user access actions appear in the audit trail these include
- Successful logins
- Failed logins
- Password reset
- Hacked cookie
- Account suspended
The 'remember password' functionality is based around this recommended best practice. When the user successfully logs in with remember password selected, a cookie is dropped containing a token and a hashed set of their username and ID. When their session expires and they revisit the site, a token is used to verify that the value from the cookie match the user whose token it is. If so access is granted. Every time the token is used to re-login automatically it is reset. If a user manually logs out of the site, the cookie is deleted.