Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
It's impossible to brute force the authentication on the login screen because after MaxFailedAccessAttemptsBeforeLockout
the account of the user will be locked, and until that account is unlocked in the Users section, no attempt will succeed.
When you submit the password reset form, an email is sent to the user with a link. This link contains a random token for this user that is valid for 24 hours.
The settings AllowPasswordReset
is documented in the Umbraco Security Settings and e-mail configuration settings in Backoffice Login Password Reset Section
If the user that is specified in the form does not exist, no e-mail will be sent and there will be no response in the form that this user does not exist. This is done to prevent leaking which users have an account.
If a user is locked out, it is possible to do a password reset. After the e-mail with the password reset link is followed, the user will still be locked out unless the user has specified the new password, in which case the user will automatically be unlocked.
If you lost the admin user password and you need to reset it, check this article.
This section includes information on Umbraco security, its various security options and configuring how authentication & authorization works in Umbraco
In this article, you will find everything you need regarding security within Umbraco.
On our main website, we have a dedicated security section which provides all the details you need to know about security within the Umbraco CMS. This includes how to report a vulnerability.
We highly encourage the use of HTTPS on Umbraco websites, especially in production environments. By using HTTPS you greatly improve the security of your website.
In the "Use HTTPS" article you can learn more about how to use HTTPS and how to set it up.
Learn which password settings that can be configured in Umbraco.
Learn about how to harden the security on your Umbraco website to secure it even further.
When your project is hosted on Umbraco Cloud, you might be interested in more details about the security of the hosting. This information can be found in the Umbraco Cloud FAQs section of the documentation.
Authentication for backoffice users and website members in Umbraco uses ASP.NET Core Identity which is a flexible and extendable framework for authentication.
Out of the box Umbraco ships with a custom ASP.NET Core Identity implementation which uses Umbraco's database data. Normally this is fine for most Umbraco developers, but in some cases the authentication process needs to be customized.
The Umbraco users and members supports external login providers (OAuth) for performing authentication of your users/members. This could be any OpenIDConnect provider such as Entra ID/Azure Active Directory, Identity Server, Google or Facebook.
The Umbraco members supports a two-factor authentication (2FA) abstraction for implementing a 2FA provider of your choice. This could be any Time-based One-time Password (TOTP) Algorithm, including Microsoft and Google Authenticator Apps
The BackOfficeUserManager
is the ASP.NET Core Identity UserManager implementation in Umbraco. It exposes APIs for working with Umbraco Users via the ASP.NET Core Identity including password handling.
In most cases External login providers (OAuth) will meet the needs of most users when needing to authenticate with external resources but in some cases you may need to only change how the username and password credentials are checked.
This is typically a legacy approach to validating credentials with external resources but it is possible.
You are able to check the username and password against your own credentials store by implementing a IBackOfficeUserPasswordChecker
.
Marking fields as sensitive will hide the data in those fields for backoffice users that do not have permission to view personal data of members.
Learn more about this in the Sensitive Data article.
How to configure Umbraco to run on a FIPS compliant server.
Use this guide to reset the password of the "admin" user.
If you need to reset accounts of every other user while you still have administrative action, check this "reset normal user password" article.
The cookies listed in this article are required only for accessing the Backoffice. You can include these in your own cookie policy, if you wish.
The below cookies are necessary for accessing the Umbraco Backoffice and functioning of the website. They allow you to enjoy the contents and services you request.
The UMB_SESSION
cookie is secure if you are using HTTPS pages. However, if you wish to secure the cookie in your code, add the following in the Program.cs
file after Build();
For information on the rest of the cookies, see the file on GitHub.