Account lockout
A user account is locked automatically by PageSeeder after multiple consecutive failed sign-in attempts. While their account is locked, users cannot sign in. They must wait for the account lockout time to expire or contact an administrator to unlock their account.
Configuration
For security reasons, PageSeeder doesn’t disclose how many attempts cause the lockout, nor how long the account is locked for. However, you can configure the account lockout behavior using the following global properties:
| Property | Effect |
|---|---|
minAccountLockout | The minimum number of minutes an account can be locked for |
maxAccountLockout | The maximum number of minutes an account can be locked for |
minBadLogins | The minimum number of incorrect sign-in attempts before an account is locked |
maxBadLogins | The maximum number of incorrect sign-in attempts before an account is locked |
User experience
The sign-in always warns the user after a couple of failed sign-in attempts, irrespective of the configuration. It recommends that users use the reset password flow to avoid having their account locked.
When the account is locked, there is a warning that the account is locked.
Unlocking an account
Administrators can unlock an account by going to the user account profile page in the system administration and clicking the Unlock button.
Or using the API with the /members/{member}/unlock service.