Skip to main content
D
Danial22236738npv0
Participant
December 14, 2021
Answered

Account Lockup

  • December 14, 2021
  • 2 replies
  • 665 views

Hi

 

I am brand new to Adobe CloudFusion. My supervisor has tasked me with implementing Account Lockup on our server. Can you guide me as to how to do this and if there is any scripts or coding, it would be a termendous help.

 

I tried looking for materials in Google and Youtube, but there is no beginner guide to do so, to my knowledge.

 

Thank you in advance.

This topic has been closed for replies.
Correct answer BKBK

 

 I want to set Account Lockout policy, so that after several failed attempts, the user will be lockout of their account for specific duration. 


By @Danial22236738npv0

 

That is a good question. It is in fact one of the commonest use-cases among login requirements. 

 

There is no universal solution. It all depends on your specific requirements. So, start by specifying your requirements, in layman's terms. For example,

  • What is the number of failed login attempts after which user will be locked out?
  • Is that number counted per session or for a given time interval?
  • How long is the lock-out duration?
  • What happens when a locked-out user attempts to log in? What is the feedback to the user?

 

I shall now give you a description of a possible solution.

  • When a user proceeds to log in, the application queries the database table, lockedOutUser, to determine whether the user is currently locked out. If so, the user is redirected ("gently eased out of the application") to the page lockedOut.cfm. The page tells the user, in friendly terms, why he or she is locked out and how long the lock-out will last. (Frame your interaction positively: "You will be able to log in after 10 minutes. See you then." is preferable to "You will be prevented from logging in for 10 minutes.")
  • The application stores the user's login properties as session variables, including session.numberOfFailedLoginAttempts, whose default value is 0.
  • Session.numberOfFailedLoginAttempts increases by 1 whenever login fails.
  • When session.numberOfFailedLoginAttempts reaches the maximum value allowed, the user-credentials, numberOfFailedLoginAttempts, lock-out time, and any other relevant information is stored in the table, lockedOutUser.

 

2 replies

Charlie Arehart
Community Expert
Charlie ArehartCommunity Expert
Community Expert
December 14, 2021

I'll assume you mean "lockdown" rather than "lockup", and that you mean "to make CF more secure"  than it is by default.

 

Sadly, there's no beginner guide. There is an auto lockdown tool offered with CF2018 and above--and while "easy to use" I would NOT call it a beginner tool. Nearly everyone I know who's ever run it rued the day, as it made their server virtually unsable. Very secure, but pretty much unusable. That was too high a price for most to pay.

 

Instead, there has for years been the ColdFusion Lockdown Guide (which you may not have found readily if you googled for account lockup--which means make the account unsable). The lockdown guide was written by Pete Freitag (not of Adobe, but FOR Adobe), and it's been updated every release since CF8. You don't say what version you are on, but google: coldfusion 2016 lockdown guide, for instance, to find that version's guide.

 

And that 2016 guide was indeed the last one written before the new CF2018 auto lockdown tool, which the guides since then focus on using. Some regard that 2016 guide as "the guide" to use to walk through the process.

 

But it too is no 'beginner guide", as it involves dozens of steps (with sometimes many sub-steps) and many dozens of pages.

 

So what to do? Hire someone to help. Seriously. Or plow through the guide. I'm not aware of any other "beginner guide".

 

FWIW, recent CF installers have added more choices to make CF "more secure" out of the box (if you choose those options), while CF itself is "more secure" than earlier CF versions were. That may be consolation enough for you and your supervisor. If not, then pull out the Lockdown Guide and follow along, or hire someone. I provide such help (carehart.org) as does Pete Freitag (foundeo.com). And I list  at my CF411 site still more CF development companies and CF troubleshooting consulting companies who may be able to help.

 

Or perhaps someone else reading this will reply with a better "beginner guide" for you. (Someone may be tempted to recommend that the "learn CF in a week" site has lots of great intro topics, but their discussion on this topic of securely configuring CF is pretty slim.)

 

Sorry I can't offer just what you need. It's an intereting opportunity for someone to pursue.

/Charlie (troubleshooter, carehart. org)
    D
    Danial22236738npv0Author
    Participant
    December 14, 2021

    Hi Charlie

     

    Thank you for your extensive reply to my question. Actually, what I was meant to say is Account Lockout instead of Lockup. I want to set Account Lockout policy, so that after several failed attempts, the user will be lockout of their account for specific duration. 

     

    I am not sure if Lockdown and Lockout, is the same thing or covers similar security, but I will go through the material you recommended, ColdFusion 2021 Lockdown Guide.  

     

    Once again, thank you very much sir for taking your time to reply to my question. 

    Charlie Arehart
    Community Expert
    Charlie ArehartCommunity Expert
    Community Expert
    December 14, 2021

    Ah, no. To quote a very old SNL skit, "that's very different". 🙂

     

    So you did indeed mean to "make an account usable", as I hinted about the term you'd used. But sadly, no,

     it's not something covered in the lockdown guide. 

     

    So help us out: is your supervisor wanting to lockout repeated failed attempts to access the cf admin? Or some cf app of your own?

     

    There is (again, sadly) no feature in the cf admin for this. But then access to the cf admin is locked down to the local machine by default, since cf2016 at least.

     

    As for enabling this for your own app, there's no "feature" of cf that enables this. It's one you'd need to code yourself. Logically it may seem rather simple on the surface, to create at least "something that's better than nothing". I've not seen any shared cfml code or even blog post on the topic, though again it's a good one for someone.

     

    But I'll add that truly effective security can get challenging quickly. Someone designing such a system should really research account lockout concepts (in any app or platform) to ensure they don't leave an unexpected hole in their protection.

     

    Hope that helps. 

    /Charlie (troubleshooter, carehart. org)
      D
      Danial22236738npv0Author
      Participant
      December 14, 2021

      Adobe Coldfusion**

      Terms & ConditionsAccessibility statement
      Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices