For any page that someone can log-into to access his guest record using verification (GuestSelected.aspx, DWLookup.aspx, MemberLogin.aspx and RenewPass.aspx), log-in attempts (successful and failed) are logged to the event log and include the IP address of the client. This logging of guest log-ins into the event log only occurs with VerbosityLevel greater than or equal to 4 (e.g., Site Admin Panel > Miscellaneous Settings > VerbosityLevel > value = 5). If the number of failed log-in attempts exceeds the value set in guest preferences (SysManager > Preferences > Guests > Misc tab > Number of failed login attempts before lock) the guest record is locked out.

 

Note: that if the value in guest preferences is set to 0, the guest record locking mechanism is disabled. Locked out guest records cannot be logged into and need to be reset from within SysManager.

 

When a locked record is encountered, the E-Commerce pages session is ended and the user is redirected to the error page. To customize the text seen on that page when this action occurs, use the setting: Site Admin Panel > Guest Related Settings > LockoutMessage > value = Your account has been locked due to too many failed login attempts. Please contact us to correct this or try again after the time has elapsed. After the first failed log-in attempt, a delay of three seconds occurs. After each successive failed log-in attempt, this delay doubles until a log-in is successful or the account gets locked. This delay mechanism was added to fend off automated attacks to gain access to a guest record. A successful log-in resets the failed log-in counter provided the guest record is not locked.