08-25-2011 01:41 PM
I have an ACT Premium 2011 site that has multiple databases under a single website. If a user types their password wrong 4-5 times, a message saying "Unable to authenticate user. Log on will be disabled for the next five minutes for security purposes. Please try again later." This doesn't just lock out that user, it locks ALL users out of not only that database, but ALL databases under that site aren't accessible by anyone until that five minutes is up. Also, if someone presses F5 to refresh, it resends the username and password which resets the 5 minutes if it hasn't elapsed.
Is this by design that it locks the entire site because a single person doesn't know their password? Is there a way to "unlock" the database and/or site before those five minutes are up so that all users aren't locked out for 5 straight minutes?
09-24-2014 06:04 AM
We haven't tested this on ACT v16 yet, but hopefully Swiftpage made a few code changes to stop this from happening. We have a few databases that have 20-30 users in them regularly and this is not a fun topic to try and explain to the client why everyone can't work for 5 minutes because of a design flaw in the software.
09-24-2014 09:54 AM
Because all the databases are attached and under the control of the SQL server, I suspect that the lockout is under the control of the SQL server and that's why it locks all the databases. I would assume that the initial lock is initialed from the ACT! program but that ACT! doesn't have control of how the lock is performed by the SQL server.
09-24-2014 10:00 AM
Sorry, but that doesn't cut it. If ACT can't figure out how to lock the USER account instead of the database, then it shouldn't do lockouts at all, or should give us a way to disable this behavior.
09-24-2014 11:09 AM
Agreed. Because user access is controlled within ACT and not by individual SQL users, SQL server doesn't care what's going on behind the scenes. It just does was its told by the impersonator account. A simple "ISLOCKED" field in the TBL_USERS table would make for a very easy solution to this with a 5-minute unlock trigger for individual users.
09-24-2014 01:54 PM
Now you get into the issue of overall security. If someone is trying to hack the database you would want to lock the entire database to impede them.
09-24-2014 02:08 PM
I would hope that the built in security model is set so that it locks the user that it's trying to login as. That is a HORRIBLE security model to straight up lock all access to the database. That's like saying that (on a much larger scale) that because I lock my Yahoo account, that all of Yahoo locks until that timer is up. I have upwards of 20-30 users simaltaneously in some databases. They shouldn't have to be completely disrupted because I locked my account, and on top of that, there's no way as a system adminstrator to unlock it early so that they can get back to using the database.
I realize I am up on a soap box right now and you aren't one of the developers of the product so none of this is pointed directly at you. It's just a pain in the butt when I get occasionally flooded with emails from a client because they can't work because of one user who fat-fingers their password one too many times. It's also frustrating that three versions later (2011 to v16) there at least isn't some sort of unlock function built in so when a user does lock their account I can quickly unlock it and everyone can go about their business.
09-24-2014 04:16 PM
"Now you get into the issue of overall security. If someone is trying to hack the database you would want to lock the entire database to impede them."
I deal with lots of different software packages, plus manage several webservers I have NEVER seen software that locked everything up because one user account mistyped some passwords. Lock the one user account? Fine. Lock everything? Not so fine.
Regardless, if that's the way ACT wants to work it, whatever... But let me disable this behavior and take the risk upon myself. Holding all of my users hostage for 5 minutes is a bad way to handle this.