We’re standardizing the security hardening routines across several Sitecore customers and it’s curious that Sitecore’s documentation on improving login security doesn’t cover the Sitecore Login.RememberLastLoggedInUserName setting.
For reference, in the sitecore.config file this setting is provided as follows:
<!– REMEMBER LAST LOGGED IN USER NAME
Specifies whether Sitecore will remember the last logged in user name on the login page (stored encrypted in a cookie).
If you set this to false, the user name field on the login page will always be blank.
<setting name=”Login.RememberLastLoggedInUserName” value=”true”/>
<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/"> <sitecore> <settings> <setting name="Login.DisableAutoComplete"> <patch:attribute name="value">true</patch:attribute> </setting> <setting name="Login.DisableRememberMe"> <patch:attribute name="value">true</patch:attribute> </setting> <!-- not officially part of Sitecore's security hardening measures, but still a good security practice --> <setting name="Login.RememberLastLoggedInUserName"> <patch:attribute name="value">false</patch:attribute> </setting> </settings> </sitecore>
I should also point out, the first part of Sitecore’s documentation on hardening the login surface for Sitecore is about enforcing SSL. At Rackspace, we don’t do this at the Sitecore application layer (that’s actually the last step in the chain of request processing for a site visit, so that’s the slowest spot to do it and it’s fairly brittle). Instead, we enforce this earlier in the chain at the F5 layer (or which ever load balancer a customer is running with). There are other steps to take like in conjunction with this, such as IP whitelisting for access etc. Again, the load balancer is the right place to do this sort of work.
More on this soon . . . our team is compiling a unified set of guidance around applying a the basic set of Sitecore’s security measures — and then some :).