Site Protection HTML Login Form Configuration
Overview
This page describes how to setup a HTML Login form where your users will type in their login and password to access a protected area.
sample HTML Login form
Furthermore, this logon mode supports many features not available with basic authentication such as session log off, persistente logon, custom login form, dedicated custom access failure page....
This page provide instructions to execute the followings tasks:
- How to create a custom HTML Login page (using cookies or an ID emdebbed in the Url)
- How to setup persistente logon using cookies
- How to display a login form on your site home page
- How to prevent direct access to a protected Url
- How to create a dedicated access failure page
How to create a custom HTML Login page
(using cookies or an ID emdebbed
in the Url)
When a user login via an HTML Login form the protection system creates a "session" (identified by a Ticket ID) for this user. Once successfully logged on, the browser must provide to the server the Ticket ID with each request for a protected resource. The protection system supports two transport methods for the Ticket ID: "cookies" and "Url Emdebbed". The "Url Emdebbed" emdebbed mode consist in inserting the Ticket ID in the Url path as shown in the address bar below:
The next table list the differences associated with the two Ticket ID transport methods.
| Features / Ticket ID mode | Cookies | Url Emdebbed |
| Invisible to the user user | yes | no |
| Support persistente logon | yes | no |
| Client browser must support cookies | yes | no |
| Ticket mode supported by all browsers | no | yes |
| Ticjet mode supported by all application viewer | no | yes |
| Supports directory browsing | yes | no |
In order for the protection system to use an HTML login form to login users:
- go to the site proctection configuration window
- check [HTML Login Form]
- choose a Ticket ID transport method "Cookies" or "Url emdebbed"
- press [Apply Settings]
At this point, if you launch a browser and request a protected resource, the default HTML login page should be displayed (screen copy below).
default "<web root directory>\session\logon.htm" page
This login page is located in your web site directory at
<web root directory>\session\logon.htm
and may be freely customized as long as you respect the following requirements:
- The actual HTML form for the user to type in her/his credentials must be
defined as below:
<FORM METHOD="POST" ACTION="#LOGINSCRIPT#">
User name<INPUT type=text name="Username" value="">
Password<INPUT type=password name="Password" value="">
<INPUT type=hidden name="CNXDATA" value="#CNXDATA#">
<INPUT TYPE="SUBMIT" VALUE="Login">
</FORM>
- All images referenced in the file must be stored in subdirectory
"/session/dmz"
It is strongly recommended to save a backup copy of the original "logon.htm" file prior making any changes.
How to setup persistente logon using cookies
With Ticket ID transport method set to "Cookies" you may enable the persistente logon feature. In this case, the user login and password are saved in cookies. The persistence delay is defined in field "Credentials persistence":
When credentials persistence is enabled, session inactivity time-out is always disabled (set to 0).
How to display a login form on your site home page
The purpose of this section is to describe how to display a login form on a non protected page, for exemple on the site home page:
To display a login form on a site home page:
- add to the following HTML form to your page source code:
<FORM METHOD="POST" ACTION="/dcmd/iis/0/logon.htm">
User name<INPUT type=text name="Username" value="">
Password<INPUT type=password name="Password" value="">
<INPUT TYPE="SUBMIT" VALUE="Login">
</FORM>
- Define a Protected Area Home Page:
The protection system will redirect the client browser towards this Url when the user submit
valid credentials.
A sample home page with a login form is available in your web directory at "/session/HomePageLogon.htm"
How to prevent direct access to a protected Url
When a user tries to access directly a protected Url (via a shortcut or by typing the Url in the address bar), the protection system will request credentials and redirect the browser towards the requested protected page.
Under these circonstances, if you rather see the browser systematically redirected towards the protected home page, you must to enable option [On successful logon, always redirect to home page]
How to create a dedicated access failure page
By default, when access is denied to a none anonymous request the following page is displayed:
This access failure page is located in your web site directory and may be freely customized.
Access failure page:<web root directory>\session\failure_0.htm
If you rather not use a dedicated access failure page you can delete the file. In this case, the login form is displayed on all access failure.