• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

Account Lockup

Community Beginner ,
Dec 13, 2021 Dec 13, 2021

Copy link to clipboard

Copied

Hi

 

I am brand new to Adobe CloudFusion. My supervisor has tasked me with implementing Account Lockup on our server. Can you guide me as to how to do this and if there is any scripts or coding, it would be a termendous help.

 

I tried looking for materials in Google and Youtube, but there is no beginner guide to do so, to my knowledge.

 

Thank you in advance.

TOPICS
Database access , Security , Server administration

Views

294

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 2 Correct answers

Community Expert , Dec 13, 2021 Dec 13, 2021

Ah, no. To quote a very old SNL skit, "that's very different". 🙂

 

So you did indeed mean to "make an account usable", as I hinted about the term you'd used. But sadly, no,

 it's not something covered in the lockdown guide. 

 

So help us out: is your supervisor wanting to lockout repeated failed attempts to access the cf admin? Or some cf app of your own?

 

There is (again, sadly) no feature in the cf admin for this. But then access to the cf admin is locked down to the local machine by default

...

Votes

Translate

Translate
Community Expert , Dec 15, 2021 Dec 15, 2021

 

 I want to set Account Lockout policy, so that after several failed attempts, the user will be lockout of their account for specific duration. 


By @Danial22236738npv0

 

That is a good question. It is in fact one of the commonest use-cases among login requirements. 

 

There is no universal solution. It all depends on your specific requirements. So, start by specifying your requirements, in layman's terms. For example,

  • What is the number of failed login attempts after which user will be locked
...

Votes

Translate

Translate
Community Beginner ,
Dec 13, 2021 Dec 13, 2021

Copy link to clipboard

Copied

Adobe Coldfusion**

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Dec 13, 2021 Dec 13, 2021

Copy link to clipboard

Copied

I'll assume you mean "lockdown" rather than "lockup", and that you mean "to make CF more secure"  than it is by default.

 

Sadly, there's no beginner guide. There is an auto lockdown tool offered with CF2018 and above--and while "easy to use" I would NOT call it a beginner tool. Nearly everyone I know who's ever run it rued the day, as it made their server virtually unsable. Very secure, but pretty much unusable. That was too high a price for most to pay.

 

Instead, there has for years been the ColdFusion Lockdown Guide (which you may not have found readily if you googled for account lockup--which means make the account unsable). The lockdown guide was written by Pete Freitag (not of Adobe, but FOR Adobe), and it's been updated every release since CF8. You don't say what version you are on, but google: coldfusion 2016 lockdown guide, for instance, to find that version's guide.

 

And that 2016 guide was indeed the last one written before the new CF2018 auto lockdown tool, which the guides since then focus on using. Some regard that 2016 guide as "the guide" to use to walk through the process.

 

But it too is no 'beginner guide", as it involves dozens of steps (with sometimes many sub-steps) and many dozens of pages.

 

So what to do? Hire someone to help. Seriously. Or plow through the guide. I'm not aware of any other "beginner guide".

 

FWIW, recent CF installers have added more choices to make CF "more secure" out of the box (if you choose those options), while CF itself is "more secure" than earlier CF versions were. That may be consolation enough for you and your supervisor. If not, then pull out the Lockdown Guide and follow along, or hire someone. I provide such help (carehart.org) as does Pete Freitag (foundeo.com). And I list  at my CF411 site still more CF development companies and CF troubleshooting consulting companies who may be able to help.

 

Or perhaps someone else reading this will reply with a better "beginner guide" for you. (Someone may be tempted to recommend that the "learn CF in a week" site has lots of great intro topics, but their discussion on this topic of securely configuring CF is pretty slim.)

 

Sorry I can't offer just what you need. It's an intereting opportunity for someone to pursue.


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Dec 13, 2021 Dec 13, 2021

Copy link to clipboard

Copied

Hi Charlie

 

Thank you for your extensive reply to my question. Actually, what I was meant to say is Account Lockout instead of Lockup. I want to set Account Lockout policy, so that after several failed attempts, the user will be lockout of their account for specific duration. 

 

I am not sure if Lockdown and Lockout, is the same thing or covers similar security, but I will go through the material you recommended, ColdFusion 2021 Lockdown Guide.  

 

Once again, thank you very much sir for taking your time to reply to my question. 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Dec 13, 2021 Dec 13, 2021

Copy link to clipboard

Copied

Ah, no. To quote a very old SNL skit, "that's very different". 🙂

 

So you did indeed mean to "make an account usable", as I hinted about the term you'd used. But sadly, no,

 it's not something covered in the lockdown guide. 

 

So help us out: is your supervisor wanting to lockout repeated failed attempts to access the cf admin? Or some cf app of your own?

 

There is (again, sadly) no feature in the cf admin for this. But then access to the cf admin is locked down to the local machine by default, since cf2016 at least.

 

As for enabling this for your own app, there's no "feature" of cf that enables this. It's one you'd need to code yourself. Logically it may seem rather simple on the surface, to create at least "something that's better than nothing". I've not seen any shared cfml code or even blog post on the topic, though again it's a good one for someone.

 

But I'll add that truly effective security can get challenging quickly. Someone designing such a system should really research account lockout concepts (in any app or platform) to ensure they don't leave an unexpected hole in their protection.

 

Hope that helps. 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Dec 13, 2021 Dec 13, 2021

Copy link to clipboard

Copied

Question: So help us out: is your supervisor wanting to lockout repeated failed attempts to access the cf admin? Or some cf app of your own?

 

Answer: lockout repeated failed attempts to access our own app. 

 

Guess will have to do the coding for it then.

 

Thank you.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Dec 15, 2021 Dec 15, 2021

Copy link to clipboard

Copied

 

 I want to set Account Lockout policy, so that after several failed attempts, the user will be lockout of their account for specific duration. 


By @Danial22236738npv0

 

That is a good question. It is in fact one of the commonest use-cases among login requirements. 

 

There is no universal solution. It all depends on your specific requirements. So, start by specifying your requirements, in layman's terms. For example,

  • What is the number of failed login attempts after which user will be locked out?
  • Is that number counted per session or for a given time interval?
  • How long is the lock-out duration?
  • What happens when a locked-out user attempts to log in? What is the feedback to the user?

 

I shall now give you a description of a possible solution.

  • When a user proceeds to log in, the application queries the database table, lockedOutUser, to determine whether the user is currently locked out. If so, the user is redirected ("gently eased out of the application") to the page lockedOut.cfm. The page tells the user, in friendly terms, why he or she is locked out and how long the lock-out will last. (Frame your interaction positively: "You will be able to log in after 10 minutes. See you then." is preferable to "You will be prevented from logging in for 10 minutes.")
  • The application stores the user's login properties as session variables, including session.numberOfFailedLoginAttempts, whose default value is 0.
  • Session.numberOfFailedLoginAttempts increases by 1 whenever login fails.
  • When session.numberOfFailedLoginAttempts reaches the maximum value allowed, the user-credentials, numberOfFailedLoginAttempts, lock-out time, and any other relevant information is stored in the table, lockedOutUser.

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Dec 15, 2021 Dec 15, 2021

Copy link to clipboard

Copied

Hi BKBK

 

Thank you for your solutions. 

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Dec 16, 2021 Dec 16, 2021

Copy link to clipboard

Copied

LATEST

My pleasure, @Danial22236738npv0 .

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation