Logon

From RPM Wiki

Table of contents
1 Summary
2 Logon by request

2.1 Use
2.2 Example code
2.3 Logon by request security concerns

3 Security

3.1 Staff users
3.2 Agent users

[edit]

Summary

In RPM the word logon has two, related meanings:

  • Verb. When a user wishes to access RPM they must be authenticated. Using the logon page the user can submit their username and password for authentication. The user will "logon to RPM".
  • Info. Logon is also the label of a section of the details page of users. In this section the staff may be allowed to edit that user's username and password, their "logon information". The staff user may also set that user as not being allowed to use RPM, "disable their logon".
    • Note: Users may not disable their own logon.
    • Note: If the logon of a user is disabled while that user is currently logged on, they will continue to be logged on. The disabled setting only prevents them for accessing the system the next time they try to logon.
[edit]

Logon by request

Normally users logon to RPM by typing in his or her username & password in the logon page, but there is also a method for another system to log a user in for them. This requires the other system to know the RPM username & password for the user. That means if the username or password is changed in RPM, it must be manually updated in the other system. Also, this is a "one-way" feature, RPM can not log users into other systems. Understanding those restrictions, this feature provides a way to build a "single logon" solution when you have other systems your users must access.

  • Use: Provide a link on your system that a user can click to be taken right to their home page in RPM
  • Note: This feature does not "skip" the logon page so normal logon rules apply. It is as if the system just typed in the username & password for the user.
  • Note: This feature can only send the user to their homepage, not to a different page inside RPM.
  • Note: Using this feature requires the skills and knowledge to generate custom forms or links in your other application. You should also understand the difference between "get" and "post" HTTP request methods.
[edit]

Use

The other system must know the username and password of the user. These are added as parameters to a form or link that sends a request to the RPM logon page. The method of the link can be either get or post.

  • Note: To use this feature, the other system must be able to dynamically generate a custom link or form for each user.

There are 2 parameters that must be passed:

  • uid - the username
  • pwd - the password
[edit]

Example code

Replace "yourrpmdomain.com" with the domain you use to access your RPM deployment. Replace "johnsmith" and "123456" with the user's username and password respectively.

By form (post or get methods): 

<form action="https://yourrpmdomain.com/rpm/Login.aspx" method="post">
<input type="hidden" name="uid" value="johnsmith">
<input type="hidden" name="pwd" value="123456">
<input type="submit">
</form>

By link (get method only): 

<a href="https://yourrpmdomain.com/rpm/Login.aspx?uid=johnsmith&pwd=123456">Logon to RPM</a>
[edit]

Logon by request security concerns

  • Logon information. Using this feature requires usernames and passwords for RPM to be stored on another system. Doing this creates a potential security vulnerability. A security flaw on that other system could expose those usernames & passwords.

Best practice: Store the usernames & passwords in an encrypted form. Consider only using this feature for agent users, not staff users.

  • Get vs. post. When considering which method to use, note there is a small security difference. Both are protected from interception if SSL is used (HTTPS), however get has a problem if the logon is incorrect. When the logon is successful the user simply sees their RPM homepage, but if the logon is incorrect the user is presented with the logon page and an error. If the get method was used then the user's username and password are displayed, in plain text, in the browser URL field. Furthermore, they are also saved that way in the user's browser history.
  • Wrong URL. Using this system means generating a link or a form that sends out the user's username and password to another system. That system is supposed to be RPM, but if an error is made in the link that information may be sent elsewhere. Chances are a mistake would lead to an invalid URL, but there is a remote chance it could be a real server. This is minor security issue, but something to keep in mind nonetheless.

Best practice: Make sure the URL ("action" for forms, "href" for links) is correct. Always make sure it uses the "https://" protocol, never "http://". The "s" means it is a secure connection.

[edit]

Security

[edit]

Staff users

  • Staff users may always change their own username and password.
  • Editing the logon information of another staff user requires the "super user" role.
  • Editing the logon information of an agent user requires the "Agency & rep information" privilege.
[edit]

Agent users

  • Agency managers see the username of reps in their agency and if that rep’s logon is disabled.
  • Agent users may only change their own username and password.
Retrieved from "http://www.rpmsoftware.com/wiki/index.php/Logon"
  • This page was last modified 16:39, 22 Jun 2009.
  • This page has been accessed 3235 times.