User Login Authentication

User Login Authentication

Login Authentication Process Flow

Much of the login authentication process is determining if the user meets all requirements and can be logged in and proceed to the landing page. These checks are performed by EASYProcess Process PRC-10000010.

Below are all the checks performed on login as part of the process flow. When it is decided based on a check that the user cannot login, a message code is used and the default message associated with that message code is also shown (Messages set up in “Work with Messages”). Some checks require further action and will forward a user to another page to retrieve certain information. These checks will not return an error code. They will instead retrieve the information from the user and then restart the authentication process.

Login Logic

Message Code

Message

Logic Explanation

Blocked IP

003

Unauthorized Access.

The ReferrerAddress (user’s IP address) is retrieved on the login process and is used to query the database table [EPIPAddressBlockList] to check if results are returned and the IP Address has been blocked for login.

UserId Does Not Exists

004

User Id/Password invalid.

If the UserId typed in on login does not exist in the [EPUsers] table, the user does not exist.

Password Invalid

004

User Id/Password invalid.

If the password does not match the password recorded for the user, login is halted. This is the message displayed to the Admin (UserAuthorizationType = ‘Internal_Admin’) on every incorrect attempt because the admin cannot be locked out due to unsuccessful attempts.

If $EP_Profile_Login_Default_EnforceUnsuccessfulAttempts is set to “False” or $EP_Profile_Login_Default_NoOfUnsuccessfulAttempts is set to “0” or is otherwise not a valid value, this will also be the message displayed on every incorrect attempt

If login does enforce unsuccessful attempts, each unsuccessful attempt will increment the count by 1 and save this value in the database table/column [EPUsers].[UnsuccessfulAttemptCount].

Password Invalid - Account about to be Deactivated

010

One more unsuccessful attempt will disable your profile.

If the [EPUsers].[UnsuccessfulAttemptCount] for the user attempting to login is one away from the value saved in $EP_Profile_Login_Default_NoOfUnsuccessfulAttempts, a different message will display warning the user that one attempt is remaining.

Password Invalid - Account Deactivated

007

Your profile is disabled. Please contact system administrator.

If the [EPUsers].[UnsuccessfulAttemptCount] for the user attempting to login has reached the value saved in $EP_Profile_Login_Default_NoOfUnsuccessfulAttempt, the account will be deactivated.

This is done by updating the user’s record in the [EPUsers] table to set the following columns:

  • UnsuccessfulAttemptCount
  • UserStatus = “Inactive”
  • DateDeactivated
  • DeactivationReason = “Max unsuccessful attempts reached.”

An email is also sent to the site admin ($EP_Profile_AppSettings_Default_AdminEmailId) with the UserId that has been marked as inactive.

No Assigned Web/Parent Account

006

Account is deactivated.

When the user was created, the column [WebAccountId] in the [EPUsers] table should have been filled in with the associated Web/Parent Account. If it was not and this value is blank, login cannot continue.

The [WebAccountId] is a K-Rise assigned NextNumber and does not exist in JDE. AB-10000001 (the Id of the Internal Users’ Account) is an example of the Id.

Web/Parent Account Inactive

006

Account is deactivated.

This retrieves the JDE Address Number associated with the [EPUsers].[WebAccountId] by querying the [AddressBook].[ERPAddressNumber]. That JDE Address Number is then used in the same query used to initially retrieve the addresses that can be displayed in the K-Rise portal.

If this address number is no longer returned in that query, the Web/Parent Account is marked as deactivated by setting [AddressBook].[AccountStatus] = “Inactive”.

Force Accept Terms and Conditions

N/A

N/A

If the configuration variable $EP_Profile_Login_Default_ForceTermsAccept is set to “True”, the user will be forced to accept the Terms and Conditions upon first login. If the user’s record does not have the flag indicating they have previously accepted ([EPUser].[TermsAccepted] = “True”) then the user is forwarded to a page to display the T&Cs with an “Accept” button that updates the user’s flag to “True”.

Once the user accepts the T&Cs, the authentication process is restarted and will now be able to move past this check.

Force Security Questions

N/A

N/A

If the configuration variable $EP_Profile_Login_Default_ForceSecurityQuestions is set to “True”, the user will have to set up the security questions if they are not already (set on first login or when this feature is turned on). If the user does need to set any security questions, they will be forwarded to a page to do so. Upon saving their changes, the authentication process is restarted and they will now be able to move past this check.

If the site has ForceSecurityQuestions turned on, the number of security questions to use can be specified in the configuration variable $EP_Profile_Login_Default_SecurityQuestions. This accepts one of the following numbers: “1”, “2”, “3”, “4”, “5”. This means up to five security questions can be required for all users to be used to retrieve a lost password.

Force Password Change

N/A

N/A

If it is decided the user needs to change their password, the user will be forwarded to a page to change their password. Upon saving their changes, the authentication process is restarted and they will now be able to move past this check.

This can happen if the user has been flagged for a password change ([EPUser].[ForcePasswordChange] = “True”) by the system from other features or by the admin manually. This can also happen if the configuration variable $EP_Profile_Login_Default_ForcePasswordChange is set to “True” and the password is expired. A password is considered expired if the number of days between now and the last changed date is greater than the number of days specified in the configuration variable $EP_Profile_Login_Default_ExpireInDays.

Shipping Address Validation

008

No Shipping Address Found.

On login, the user’s account has all of its Billing and Shipping addresses refreshed with data from JDE. It is refreshed using the same SQL queries used to originally download the data when the account was created. If the SQL queries were modified or the account record was modified in JDE and the address is no longer returned by the query, the address is marked as “Inactive” ([AddressBook].[AccountStatus] = “Inactive”).

First the user’s Default Shipping address is found. If this is not active or it exists under an inactive billing address, a query to find all Active Shipping Addresses with Active Billing Addresses is found. The first result is chosen from this query’s results and it is assigned as the user’s new Default Shipping Address. If none is found, the user cannot login.

Billing Address Validation

009

No Billing Address found.

On login, the user’s account has all of its Billing and Shipping addresses refreshed with data from JDE. It is refreshed using the same SQL queries used to originally download the data when the account was created. If the SQL queries were modified or the account record was modified in JDE and the address is no longer returned by the query, the address is marked as “Inactive” ([AddressBook].[AccountStatus] = “Inactive”).

First the user’s Default Shipping address is found. If this is not active or it exists under an inactive billing address, a query to find all Active Shipping Addresses with Active Billing Addresses is found. The first result is chosen from this query’s results and it is assigned as the user’s new Default Shipping Address. If none is found, the user cannot login.