For developers: Users API
The users in Sitefinity CMS are represented by the Telerik.Sitefinity.Security.Model.User class. It exposes the following properties for storage of user-related information:
Gets or sets the name used for authenticating in the Sitefinity CMS application.
Gets or sets additional information about the user.
Gets or sets the date on which the user was created.
Gets or sets the e-mail of the user.
Specifies whether the user is approved. For more information, see Approving users.
Specifies whether the user is locked out. For more information, see Locking and unlocking users.
Gets or sets the question used for login, when the user has forgotten the password.
Gets or sets the password of the user.
Gets or sets a random string key for additional password security. For more information, read For developers: Password format.
Gets or sets the answer to the password question.
Gets or sets the password encryption format. For more information, read For developers: Password format.
Specifies whether the user can access the backend of the Sitefinity CMS application.
The User class also exposes a set of properties providing statistical information about the user. For more information, read For developers: User statistics.
In order to be able to login, a user must be approved. To approve a user, you must set its IsApproved property to true. When creating a user through the API, the value of this property is false. You must explicitly set it to true, when you want to approve the user. This allows you to create scenarios, where the newly registered user must perform some action before he gets approved.
Backend users are user that are allowed to login to the backend of the Sitefinity CMS application. Users that are not backend users, are only authenticated for the frontend content of the site.
To grant a user access to the backend of the application, you must set its IsBackendUser property to true.
Locking and unlocking users
In Sitefinity CMS, each user is allowed a limited amount of failed logins for a specified attempt time window. When the limit is exceeded, the user gets locked, and cannot log in until the attempt window expires. The lockout can be caused by either wrong password or wrong password answer inputs.
For example, the provider is configured to allow maximum of 5 login attempts for a window of 10 minutes. A user tries to login at 12:00 PM and fails. The start of the attempt window is 12:00 PM. If the user fails to login 4 more times before 12:10 PM, the user will get locked out. If the user gets locked out, he will be able to log in after the attempt window expires – after 12:10 PM.
Maximum number of attempts and attempt window
The maximum number of attempts and the attempt window are defined by the membership provider. To modify their values through the backend perform the following:
- Log in to the Sitefinity CMS backend.
- From the menu, click Administration » Settings.
- Click Advanced Settings.
- In the tree view, navigate to Security » Membership providers.
- Click the provider that you want to modify.
- Navigate to Parameters.
- The following parameters configure the locking out of users:
- Enter the desired values for the parameters.
- Click the Save changes button.
Locking and unlocking users
To determine whether to lock or unlock a user, you use the following values:
- Failed password or password answer attempts of the user
This values are stored in the FailedPasswordAttemptCount and the FailedPasswordAnswerAttemptCount properties of the User class. For more information, read For developers: User statistics.
- Failed password or password answer attempts window start
These values represent the time of the first failed attempt. They are stored in the FailedPasswordAttemptWindowStart and the FailedPasswordAnswerAttemptWindowStart properties of the User class.
- Maximum invalid password attempts
Represents the amount of failed password attempts or password answer attempts for the attempt window. This value is defined by the provider and can be accessed through the MaxInvalidPasswordAttempts property of the UserManager class.
- Attempt window
Represents the time span for the maximum amount of failed password or password answer attempts. This value is defined by the provider and can be accessed through the PasswordAttemptWindow property of the UserManager class.
To lock a user, set the IsLockedOut property of the User object to true. To unlock it, call the UnlockUser method of the UserManager class and pass the locked user as argument. When you authenticate a user, the logic for locking and unlocking the user is executed internally. For more information about authentication, read For developers: Authenticate users.
The user profile wraps the user and stores additional information such as first name, last name, avatar, etc. When creating a user, you must also create a user profile. For more information, read For developers: User profiles.