Reference > Shop flow URLs > Member subsystem URLs > Security


Logon URL

Log a registered user on to a store or site.

Use this URL with SSL (Secure Sockets Layer) to ensure that the customer's logon password and personal information are encrypted.

To do so, type the URL with the HTTPS secure protocol.


URL structure

http:// host_name/path/

The fully qualified name of the WebSphere Commerce Server and the configuration path

Diagram of the URL structure: The URL starts with the fully qualified name of the WebSphere Commerce Server and the configuration path, followed by the URL name, Logon , and the ? character. End the URL with a list of parameters in the form of name-value pairs. Separate each <a href=name-value pair with the & character. For a detailed description of the parameters and their values, see the list entitled Parameter values." />


Parameter values

langId

Sets or resets the preferred language for the duration of the session; the supported languages for a store are found in the STORELANG table

URL

The URL to be called when the command completes successfully

storeId

The reference number of the store the user is logging on to

logonId

The registered user's logon ID

logonPassword

The registered user's password

reLogonURL

The URL that is called if the command fails to complete


Example 1

The following example logs the customer with the logon ID henry and the password h48smith on to the store with reference number 10101, then displays the store home page.

https://myhostname/webapp/wcs/stores/servlet/Logon?logonId=henry&logonPassword=h48smith&URL=TopCategoriesDisplay&        reLogonURL=LogonForm&storeId=10101&catalogId=10101&langId=-1


Behavior

The following checks are done to ensure that the user is allowed to log on:

  1. Verify that the user's account is not disabled. (Not done if LDAP mode is used.)

  2. Verify that logon is allowed. The account lockout policy specifies how much time must elapse after an incorrect password attempt, before a subsequent logon attempt is allowed.

  3. Verify that the password specified by the user is correct.

  4. Verify that the user's account is approved.

  5. Verify that none of the user's ancestor organizations are locked.

  6. Verify that the user has a role in the current store's organization.
If valid credentials are specified, and LDAP mode is used, the default roles specified in MemberRegistrationAttributes.xml are assigned to the user.

Regardless of whether valid credentials were specified, as long as LDAP mode is not used, the AccountLockoutPolicyCmd task command is called to update policy account information for the user:

After successful logon, the following steps are also performed:

  1. The user's resources are migrated from the previous guest user if applicable.

  2. The command context is updated to the authenticated users's identity.

  3. If the password invalidation feature is enabled, and the password is in the expired state, and LDAP mode is not used, the user will be directed to the ChangePassword view.

  4. If the logon took place after the login timeout feature ended the session, the user will be directed to the URL that was originally specified when the login timeout took place.

The detailed behavior flow is...

Note: WebSphere Commerce does not support the concurrent logon of two or more users that log in using the same user ID. For example, consider the scenario where two users at a company regularly share an account at a store. Suppose the first user is on the store's payment page, and just before submitting his or her order, the second user logs in. The following is what will take place:

  1. Browser one ... User 1 logs in as user "xyz"; adds an item to the shopping cart.

  2. Browser two ... User 2 logs in as user "xyz" as well, and goes to the shopping cart page and then proceeds to checkout.

  3. Browser one ... User 1 clicks on checkout, but is informed that he or she has been logged off.

  4. Browser two ... User 2 completes the checkout, as normal.

Another scenario is when businesses use a common user ID for their employees to shop at a B2B store. Either only one user should use the common user ID at a given time, or each user should be setup with their own user ID, or else one of the users will likely not complete their transactions.


Exception conditions

The error handler, ECConstants.EC_ERROR_CODE, captures the error code, which may be one of the following.

Explanation Error Code Value
Missing logon ID ECSecurityConstants.ERR_MISSING_LOGONID (2000)
Invalid logon ID ECSecurityConstants.ERR_INVALID_LOGONID (2010)
Missing password ECSecurityConstants.ERR_MISSING_PASSWORD (2020)
Invalid password ECSecurityConstants.ERR_INVALID_PASSWORD (2030)
Account has been disabled ECSecurityConstants.ERR_DISABLED_ACCOUNT (2110)
Password is too long or too short ECSecurityConstants.ERR_LENGTH_PASSWORD (2120)
Logon attempt took place too soon after previous failed attempt. ECSecurityConstants.ERR_LOGON_NOT_ALLOWED (2300)
One of the ancestral organizations has been locked. ECSecurityConstants.ERR_PARENT_ORG_LOCKED (2400)
You do not play a role in the store's organization or any of its ancestors. ECSecurityConstants.ERR_NOT_REGISTERED_CUSTOMER (2410)
Your status is in pending approval state. You are not allowed to logon unless in approved stated. ECSecurityConstants.ERR_USER_IN_PENDING_APPROVAL (2420)


Related concepts

Member subsystem


Related tasks

Changing the status of a customer's logon account

Set up a password policy

Related reference

AdminResetPassword URL

Logoff URL

ResetPassword URL

RunAsUserSetInSession URL

RestoreOriginalUserSetInSession URL

Member subsystem URLs

Shop flow URLs


+

Search Tips   |   Advanced Search