SENDSAFE LOGIN CONTROL

The system has many different means of logging in. Login can be automatic via a token saved in a cookie. Login can also occur from a login session token in a URL. Customer login can be used to restrict access control to specific puplic pages. By add a SID to a customer account you are adding admin login control.

User names and password must be 7 characters or longer (alphanumerics plus @ and '.' only).

See also: customer login

Duplicate Entries
Duplicate usernames are never allowed. Duplicate passwords are by default not allowed but the system can be configured to allow duplicate passwords by setting Application("securityAllowDupPassword") = true.

Login Vectoring
Login vectoring controls where the login page will redirect the user after successful login. This vector is controlled by hard coded options which can be overridden with two different URL parameters: NVector and GVector.

gvector = relative SSL location to proceed to after login (overrides default) javascript:gotoSSLURLWOEDI( 'store.customerlogin.asp?GVector=Store.myaccount.asp' )

nvector = relative NON-SSL location to proceed to after login (overrides default) javascript:gotoSSLURLWOEDI( 'store.customerlogin.asp?NVector=Store.myaccount.asp' )

If no login vector is provided via URL parameters then the customer login will vector to the location specified by Application("DefaultCustomerLoginRedirect").

Examples:
Application("DefaultCustomerLoginRedirect") = "browser.asp?Lev2List=LARGE+JACKETS&Start=0"
Application("DefaultCustomerLoginRedirect") = "browser.asp?TopList=subcat&brandsTL=ARMY+NAVY"

Suppressing Help Text
The help text displayed on the customer login pages can be suppressed by setting: Application("SupressHelpText") = true. This can be useful if custom text is to be displayed or horizontal space is limited. The login help buttons are not affected this setting.

Display of login MI Marketing Information
MI Marketing Information can be displayed and entered into the create new account dialog on the customer login page. Setting Application("securityIncludeMIInLogin") = true will enable the display.

Login Handing of Null Shoppng Carts
Null shopping carts are carts that are filled with items by a null customer. This can occur with both new and returning customers. A null customer is a customer which has not logged in yet and had been assigned a temporary customerid. The function isNullCustomer( customerId ) is used to identify null customers.

When a login occurs and a null cart exists, that null cart is assigned the customerId of the visitor logging in and control variables are set to use this null cart as the current-working order. The null customer login is deleted after the order is reassigned.

This null cart handling is managed by the function doLogon( userid, password ) in SendSafe.loginManagement.inc.asp. Please see audit file entries tagged: "NULL CART HANDLED AND ASSIGNED"

MyAccount Self-Creation

The MyAccount page can be setup to self-create an account. This can be useful for site which have discount plans or other reasons for customers to create an account before purchasing. To use this function simply append the URL parameter ?cna=1 to any MyAccount URL. Example:

<a HREF="javascript:gotoSSLURL( 'store.myaccount.asp?cna=1' )">Customer Signup</a>

Account Creation ByPass

The configuration securityAllowUserAccountBypass allows account creation to be bypassed and an automated userid and name to be created.

Account creation bypass will only work in Nvector references the Application("urlfor_CHECKOUTSTEP1") file OR if a GVector is specified.

Logging into admin pages

When SendSafe is intitially installed a default "superuser" account is setup in the system. A superuser account means you have authority to change anything you like in the entire system. Permission is controlled on the CustomerSID record admin page.

Login Requirements for admin pages (not customer pages) are:

• Only Microsoft Explorer is supported for running the admin pages
• Browser Setup Requirements

The default credentials are:
Userid: userid
Password: password

Hint 1: If you are having problems logging in, uncheck the box labeled "Hide Password." This will allow you to see the password you are typing (instead of the masking *** characters; see the illustration above.

Hint 2: The Captcha Test (five letters EWNOK) illustrated above, uses only alphabetic charcters, no number. This means any "O" is the letter "o", and not the number zero; likewise, any "I" is the uppercase letter "i" and not the number one.

It is recommended that you change your login immediately.

To change your login follow these steps:

1. Open this admin web page (this is the customer record admin page: http://www.yousite.com/SendSafeAdm/v2.AdminCustomer.asp

If you get an SSL error message then ignore it (this error means you do not have an SSL certificate installed on the site yet). You will not get this SSL warning once your site has gone live. You are getting this warning because we have not purchased SSL certificates for your site and are currently using a temporary certificate which does not match your site.

2. Follow logon instructions on this page using the userid and password above.

3. Locate the [ FIND ] button on this admin page and press it.

4. Locate your ntusername in the list at the top of the page (how to use find) and then click on the edit button next to that entry. This will load the record into the page for editing.

5. Locate the userid and password entry fields; and change them to whatever you would like to use.

6. Press the save button.

7. Congratulations… you have just completed your an admin task!

Login Lockouts
Logic lockouts occur when too many illegal login attempts have been made in a row. When a lockout occurs the user will see a message "like" the one shown below. The system will also send e-mail alerts to all listed admin addresses containing information about the violation. If you receive e-mail alerts, you should investigate because the alerts may have been caused by a password brute force attack

Other than an attack OR a customer repeatedly typing in the same bad credentials, the typical cause of this problem is that the user's customer account was deleted. Customer accounts should never be deleted (they should instead be decommissioned). If the illegal login is coming from a cookie stored on the customer's computer then the error condition will not expire. The problem will reoccur until that login cookie is deleted. In this event, a link to the SendSafe cookie cleaner is included in the user error message.

SendSafe Access Control
SendSafe Access control is used to control access to SendSafe pages. For access one must have a valid account (read permission is not tested). This control is used in pages such as Offer, OrderStatus, ListingMnger, etc. Typical setup:

1. Include [<!--#include file="SendSafe\SendSafe.ShopperAccessControl.inc.asp"-->] before all logic which displays data to be access restricted/controlled AND at the location that logon prompts are desired.

Notes:

• If a TID (transactionId) URL parameter is present THEN this access control system will test to make sure the customer who is logged in has permission to view this transaction. This TID function is used by printable receipts, ordering viewing, etc.

• The global flag permissionToView is set true/false for access control allowed (does not include readpermission testing).

Custom Admin Access Control
This form of access control is to restrict access to a page to people with some type of admin login. Access control can be easily added to any page using the SendSafe e-store framework access control infrstructure. For access one must have both a valid login account and read permission for the web page or superuser permission. Typical setup:

1. Include [<!--#include file="includes\customAccessControl.inc.asp"-->] before all logic which displays data to be access restricted/controlled AND at the location that logon prompts are desired.
2. capControlLogic = false
3. byPassAccessControl = true (in the browser.inc.asp file ONLY). If set true the browser.asp file will display results regardless login status
4. byPassListingAccessControl = true (in the listing.inc.asp file ONLY). If set true the listing.asp file will display results regardless login status
5. manuallyPlaceRenderingSub = true (this is often required).

Notes:

• The function capLoginControl() controls access, prompts for passwords, and sets global flags true/false

• The global flag customAccessPermissionGranted is set true/false for access control allowed (including readpermission required if configured as a requirement).

• In e-store framework pageconfig.inc.asp SET capControlLogic = true ONLY IF the function capLoginControl() is manually placed and called from within the file being access controlled.

• If protecting browser.asp (or clones) -- In e-store framework pageconfig.inc.asp SET byPassAccessControl = false. The browser.inc.asp include MUST occur AFTER the customAccessControl.inc.asp file; if included BEFORE then the query will not occur if read access is NOT present Regardless the state of this control flag.

• If protecting listing.asp (or clones) -- In e-store framework pageconfig.inc.asp SET byPassListingAccessControl = false. The listing.inc.asp include MUST occur AFTER the customAccessControl.inc.asp file; if included BEFORE then the query will not occur if read access is NOT present Regardless the state of this control flag.

• Include the [<!--#include file="includes\customAccessControl.inc.asp"-->] at the location where you want access control to take effect.

• The include file [<!--#include file="includes\customAccessControl.inc.asp"-->] must always be placed BEFORE any instances of a browser.inc.asp #include.