Reference > Shop flow URLs > Member subsystem URLs > Security
Logon URL
Log a registered user on to a store or site.
Use this URL with SSL (Secure Sockets Layer) to ensure that the customer's logon password and personal information are encrypted.
To do so, type the URL with the HTTPS secure protocol.
URL structure
- http:// host_name/path/
- The fully qualified name of the WebSphere Commerce Server and the configuration path
name-value pair with the & character. For a detailed description of the parameters and their values, see the list entitled Parameter values." />
Parameter values
- langId
- Sets or resets the preferred language for the duration of the session; the supported languages for a store are found in the STORELANG table
- URL
- The URL to be called when the command completes successfully
- storeId
- The reference number of the store the user is logging on to
- logonId
- The registered user's logon ID
- logonPassword
- The registered user's password
- reLogonURL
- The URL that is called if the command fails to complete
Example 1
The following example logs the customer with the logon ID henry and the password h48smith on to the store with reference number 10101, then displays the store home page.
https://myhostname/webapp/wcs/stores/servlet/Logon?logonId=henry&logonPassword=h48smith&URL=TopCategoriesDisplay& reLogonURL=LogonForm&storeId=10101&catalogId=10101&langId=-1
Behavior
The following checks are done to ensure that the user is allowed to log on:
If valid credentials are specified, and LDAP mode is used, the default roles specified in MemberRegistrationAttributes.xml are assigned to the user.
- Verify that the user's account is not disabled. (Not done if LDAP mode is used.)
- Verify that logon is allowed. The account lockout policy specifies how much time must elapse after an incorrect password attempt, before a subsequent logon attempt is allowed.
- Verify that the password specified by the user is correct.
- Verify that the user's account is approved.
- Verify that none of the user's ancestor organizations are locked.
- Verify that the user has a role in the current store's organization.
Regardless of whether valid credentials were specified, as long as LDAP mode is not used, the AccountLockoutPolicyCmd task command is called to update policy account information for the user:
- Account lockout policy:
- USERREG.PASSWORDRETRIES is incremented on a bad password attempt.
- If there have been too many retries with incorrect passwords, the user account will be disabled, by setting USERREG.STATUS to 0.
- Policy password policy:
- If the password is too old, the password is changed to the expired state, by setting USERREG.PASSWORDEXPIRED to 1.
After successful logon, the following steps are also performed:
- The user's resources are migrated from the previous guest user if applicable.
- The command context is updated to the authenticated users's identity.
- If the password invalidation feature is enabled, and the password is in the expired state, and LDAP mode is not used, the user will be directed to the ChangePassword view.
- If the logon took place after the login timeout feature ended the session, the user will be directed to the URL that was originally specified when the login timeout took place.
The detailed behavior flow is...
- Calls the VerifyCredentialsCmd task command, which calls one of the following tasks:
- DBAuthenticationCmd (This task always needs to be defined and we do provide a default implementation)
- LDAPAuthenticationCmd
- ThirdPartyAuthenticationCmd
This ensures that the customer's logon ID and password are correct.
- Calls the following tasks:
- AccountLockoutPolicyCmd
- AuthenticationPolicyCmd
- MigrateUserEntriesCmd (This task always needs to be defined and we do provide a default implementation)
- Checks whether the password has expired and if it has, redirects to the ChangePassword view.
- If any of the ancestral organizations to which a customer or administrative user for a store belong are locked, they will not be able to log on to the store.
- With the Logon command, users logon on a per-store basis, and not a per-site basis. If a user does not play a role in a store's organization or any of its ancestral organizations, WebSphere Commerce does not allow the user to logon to the store.
- If a user's registration approval status is pending approval, WebSphere Commerce does not allow that user to logon to the store.
Note: WebSphere Commerce does not support the concurrent logon of two or more users that log in using the same user ID. For example, consider the scenario where two users at a company regularly share an account at a store. Suppose the first user is on the store's payment page, and just before submitting his or her order, the second user logs in. The following is what will take place:
- Browser one ... User 1 logs in as user "xyz"; adds an item to the shopping cart.
- Browser two ... User 2 logs in as user "xyz" as well, and goes to the shopping cart page and then proceeds to checkout.
- Browser one ... User 1 clicks on checkout, but is informed that he or she has been logged off.
- Browser two ... User 2 completes the checkout, as normal.
Another scenario is when businesses use a common user ID for their employees to shop at a B2B store. Either only one user should use the common user ID at a given time, or each user should be setup with their own user ID, or else one of the users will likely not complete their transactions.
Exception conditions
The error handler, ECConstants.EC_ERROR_CODE, captures the error code, which may be one of the following.
Explanation Error Code Value Missing logon ID ECSecurityConstants.ERR_MISSING_LOGONID (2000) Invalid logon ID ECSecurityConstants.ERR_INVALID_LOGONID (2010) Missing password ECSecurityConstants.ERR_MISSING_PASSWORD (2020) Invalid password ECSecurityConstants.ERR_INVALID_PASSWORD (2030) Account has been disabled ECSecurityConstants.ERR_DISABLED_ACCOUNT (2110) Password is too long or too short ECSecurityConstants.ERR_LENGTH_PASSWORD (2120) Logon attempt took place too soon after previous failed attempt. ECSecurityConstants.ERR_LOGON_NOT_ALLOWED (2300) One of the ancestral organizations has been locked. ECSecurityConstants.ERR_PARENT_ORG_LOCKED (2400) You do not play a role in the store's organization or any of its ancestors. ECSecurityConstants.ERR_NOT_REGISTERED_CUSTOMER (2410) Your status is in pending approval state. You are not allowed to logon unless in approved stated. ECSecurityConstants.ERR_USER_IN_PENDING_APPROVAL (2420)
Related concepts
Related tasks
Changing the status of a customer's logon account
Related reference
RestoreOriginalUserSetInSession URL