Security Settings
Information on the security settings section
The options in the security section allows you to configure all things security, whether to keep users logged in, password rules and more.
A full configuration with all default values can be seen here:
"Umbraco": {
"CMS": {
"Security": {
"KeepUserLoggedIn": false,
"HideDisabledUsersInBackOffice": false,
"AllowPasswordReset": true,
"AuthCookieName": "UMB_UCONTEXT",
"AuthCookieDomain": "",
"AllowEditInvariantFromNonDefault": true,
"UsernameIsEmail": true,
"UserPassword": {
"RequiredLength": 10,
"RequireNonLetterOrDigit": false,
"RequireDigit": false,
"RequireLowercase": false,
"RequireUppercase": false,
"HashAlgorithmType": "PBKDF2.ASPNETCORE.V3",
"MaxFailedAccessAttemptsBeforeLockout": 5
},
"MemberPassword": {
"RequiredLength": 10,
"RequireNonLetterOrDigit": false,
"RequireDigit": false,
"RequireLowercase": false,
"RequireUppercase": false,
"HashAlgorithmType": "PBKDF2.ASPNETCORE.V3",
"MaxFailedAccessAttemptsBeforeLockout": 5
}
}
}
}
At the root level of security you can configure the following
If set to false a user will be logged out after a specific amount of time has passed with no activity, you can specify this time span in the global settings with the
TimeOut key.If this is set to "true" it's not possible to see disabled users, which means it's not possible to re-enable their access to the backoffice again. It also means you can't create an identical username if the user was disabled by a mistake.
The feature to allow users to reset their passwords if they have forgotten them. By default, this is enabled but if you'd prefer to not allow users to do this it can be disabled at both the UI and API level by setting this value to "false".
The authentication cookie which is set in the browser when a backoffice user logs in, and defaults to
UMB_UCONTEXT.The authentication cookie which is set in the browser when a backoffice user logs in is automatically set to the current domain.
Invariant properties are properties on a multilingual site that are not varied by culture, which means it shared the same value across all languages added to the website.
When the setting is set to
false the invariant properties that are shared between all languages can only be edited from the default language. This means you need access to the default language, in order to edit the property.When set to
true (default) the invariant properties will need to be unlocked before they can be edited. The lock exists in order to make it clear that this change will affect more languages.This setting specifies whether the username and email address are separate fields in the backoffice editor. When set to "false", you can specify an email address and username, only the username can be used to log on. When set to "true" (the default value) the username is hidden and always the same as the email address.
This section lets you define the password rules for users.
Specifies the minimum length a user password is allowed to be.
Requires a users password to contain at least one character which is not a letter or a digit if enabled.
Requires a users password to contain at least one digit if enabled.
Requires a users password to contain at least on lowercase letter if enabled.
Specifies the max amount of failed password attempts is allowed before the user is locked out of the site.
Allows you to specify what hashing algorithm should be used to store the users password.
Options are:
"PBKDF2.ASPNETCORE.V3""PBKDF2.ASPNETCORE.V2""HMACSHA256""HMACSHA1"
This section allows you to define the password rules for members. This section is identical to the one for users.
Last modified 1mo ago