This repository has been archived by the owner on Dec 14, 2017. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 239
Security Settings Configuration
pmbanugo edited this page Sep 18, 2014
·
2 revisions
The SecuritySettings class provides settings to control various security options in MembershipReboot. They are:
- MultiTenant (bool, default: false) : Allow more than one tenant?
- DefaultTenant (string, default: "default") : Default tenant name used when no tenant is specified (used when MultiTenant is false).
- EmailIsUsername (bool, default: false) : Email is used as the user's username.
- UsernamesUniqueAcrossTenants (bool, default: false) : Username must be unique across all tenants (normally username is only unique within each tenant).
- RequireAccountVerification (bool, default: true) : Email account must be verified before user can login.
- AllowLoginAfterAccountCreation (bool, default: true) : User can login immediately after account has been verified. Setting this to false would require the application to have some approval process.
- AccountLockoutFailedLoginAttempts (int, default: 10) : Number of failed password login attempts before the account is locked out.
- AccountLockoutDuration (TimeSpan, default: 5 minutes) : Duration an account will be locked due to too many failed password login attempts.
- AllowAccountDeletion (bool, default: true) : When account is closed, physically delete record from the database.
- PasswordHashingIterationCount (int, default: automatic) : Number of iterations used to hash passwords. Value of "0" means to automatically calculate the number based upon OWASP recommendations for the year.
- PasswordResetFrequency (int, default: disabled) : Number of days before passwords should be reset. Value of "0" indicates reset is not required.
- VerificationKeyLifetime (TimeSpan, default: 20 minutes) : Verification key sent for password reset, change email and change mobile will only work from the time verification key is sent till this duration later.
These values can be defaulted via a custom configuration element in the configuration file:
<configuration>
<configSections>
<section name="membershipReboot" type="BrockAllen.MembershipReboot.SecuritySettings, BrockAllen.MembershipReboot" />
</configSections>
<membershipReboot
requireAccountVerification="true"
emailIsUsername="false"
multiTenant="false"
passwordHashingIterationCount="0"
accountLockoutDuration="00:01:00"
passwordResetFrequency="0" />
</configuration>
Alternatively, these values can either be set in code when creating the MembershipRebootConfiguration
(which is needed by the UserAccountService
).
//Ninject
var configuration = new MembershipRebootConfiguration
{
EmailIsUsername = true,
MultiTenant = false,
RequireAccountVerification = true,
AllowLoginAfterAccountCreation = true
};
configuration.ConfigurePasswordComplexity();//ensures proper password complexity
kernel.Bind<MembershipRebootConfiguration>().ToConstant(configuration);
kernel.Bind<UserAccountService>().ToSelf();
Or using the SecuritySettings
class which then will passed to the MembershipRebootConfiguration
class
SecuritySettings securitySettings = new SecuritySettings();
securitySettings.AllowLoginAfterAccountCreation = true;
var config = new MembershipRebootConfiguration(securitySettings);