Anatomy of a Login

CONTENTS

COOKIES
Cookies are small packets of data that are sent between your web browser and a web server.  This server uses two cookies, both of which are stored on your computer.  The first cookie is required for the software to function properly.  This cookie is used to uniquely identify you while you are using the system.  If you log out of this system when you are finished, this session cookie will be cleared from your computer.  If you don't log out but let your session expire due to inactivity, the cookie will remain on your computer until the next time you log in.  At that point, the old cookie will be replaced with a newer version

The second cookie is optional.  It contains the name you used the last time you logged into this system.  When you log in, you have the option of having your login name stored on your computer for your convenience.  When you select this option, you won't have to enter your name every time you log in using this computer.  However, you always have to type in a password.  If this computer is used by other people, you should not use this option.

Whenever you log into ClassWeb, the software checks that your browser both supports cookies and has then enabled.  If ClassWeb cannot send and receive cookies from your browser when you log in, you will receive an error message along with further instructions.

SESSIONS
With every request that a web browser sends into ClassWeb, the server checks whether the browser also sent along a cookie containing a ClassWeb session ID.  If not, the server redirects the browser to a different URL and sends along a test cookie that contains a blank session ID.  The browser will then contact the new URL.  If this new request does not include the test cookie, a warning message is returned to the user informing them that their browser either does not support cookies or that they have been disabled.

If the test cookie does come back to the new URL, the server redirects the browser back to the original URL.  However, this time the request from the browser will be accompanied by the blank session ID cookie.  The server will know that the client supports cookies but is not yet running a session.

The server will now start a new session for the user.  Every session is identified with an eight digit number called the session ID.  There is a different session for every computer that connects to ClassWeb.  Note that when a session is first started, we don't know who the user is because the user has not logged in yet.  Also note that after a user logs in, any time the user has not sent a request to the server for more than two hours, their session will automatically expire.

LOGGING IN
There are two methods for users to log in: automatic and manual.  The automatic method is only attempted if the incoming URL contains the parameter "auto=1".  If this parameter is missing or if the automatic method fails, a login screen is returned to the user.

There are two sets of classification menus: an automatic login menu that will attempt an automatic login; and a manual login menu.  The only difference between these menus is the addition of the "auto=1" parameter in each URL on the menu.

Automatic Login
If the initial request to ClassWeb contains the parameter "auto=1" in the URL, the server will use the IP address of the end-user's computer to see if it matches any accounts.  Each account may conain one or more IP addresses that are used for this purpose.  These IP addresses may refer to a single computer or an entire network (through the use of a network mask).  Users configure these values using the account preferences link found on most menus.  A more complete description of how to configure IP addresses in user records can be found here.

If none of the user records have an IP address  that match the incoming IP address, a manual login page will be returned to the user with the "auto=1" parameter removed.  The manual login procedure is described below.

If an IP address from one of the user records matches the end-user's IP address, the server performs a series of tests.  If any  of these tests fail,  an error message will be returned to the user and they will not be able to log in.  The account must pass the following tests:

1) The account must have a password but the read-only password can be blank.

2) If the account is an in-house account (these are staff accounts for LC employees) or if this is the non-CDS in-house server ,, the user is let in and the rest of these tests are skipped.

3) The account must have a starting date and the current date must be greater than or equal to the starting date.

4) The account must have an expiration date and the current date must be no more than thirty days after the expiration date (there is a 30 day grace period before a user is completely shut out).

5) The server checks the account type to see how may users can log in with the same account name at the same time and counts how may users are already logged into this account to make sure this limit is not being exceeded with the current login.

Manual Login
Once a new session has been started, a user has five minutes to successfully login, after which time their session will be terminated.  In that case, any new requests would result in the creation of a new session.

When the user submits their login page, it will contain a user name and a password.  Both of these values are required.  The server then performs a series of tests.  If any of the first three tests fail, the server will return another login screen to the user with an "Access denied" error message.  If any of the remaining tests fail, the user will only receive an error message without a new login screen.  The account must pass the following tests:

1) An account for this specific user name must exist.

2) The account must have a password.  (As a side note, removing an account's password, effectively disables the account).

3) The password the user entered must match the account password.  If it does not and the account has a read-only password, the user's password is compared to that.  If that matches, the user will have a read-only session and will not be able to modify their account preferences or create local notes.

4) If the account is an in-house account (these are staff accounts for LC employees) or if this is the non-CDS in-house server , the user is let in and the rest of these tests are skipped.

5) The account must have a starting date and the current date must be greater than or equal to the starting date.

6) The account must have an expiration date and the current date must be no more than thirty days after the expiration date (there is a 30 day grace period before a user is completely shut out).

7) The server checks the account type to see how may users can log in with the same account name at the same time and counts how may users are already logged into this account to make sure this limit is not being exceeded with the current login.

A user can change their password by checking the Change Password box on the login screen when they log in.  They can change their read-only password on their account preferences page.

Return to the top of this page.

Copyright © Minaret Corp.