End-user login form¶
An existing end-user logs in with her email address and password or can sign up for a new account. “Create new account” button is present by default, but you can choose to disable sign-up through feature toggles.
To protect against brute force attacks, on multiple failed authentication attempts, the user IP is blacklisted for a temporary period. This can be configured through throttle rates settings.
“Remember me” toggle works on login form as follows :
when not checked, a 24 hours session is created. In this case, the user is also automatically logged out on browser/tab close.
when “Remember be” is checked, a 60 days session is created. The session is not closed on browser/tab close.
Two minutes before session expiry, a pop-up dialog asks the user if she wants to extend the session. Unless she chooses to extend the session, she will be logged out automatically.
You can configure the 24 hours and 60 days time spans by following Customize user session expiry time.
The “Forgot password” link allows users to self-reset the password by using a temporary link sent to their email address. This requires email settings to be in place.
Bind user sessions to IP address¶
By default, user session is bound to his IP address (thus the same authentication tokens cannot be used from a different IP than the original IP where login took place). To change this behaviour, check related end-user setting.