SPEC 5449 - Password Security Enhancements in Decor 24

Date Released: August 2018

Modules: Decor 24

Description: Security enhancements were made in Decor 24.

Reason for Change: Provide more password security in D24.

Changes to the User Settings File Maintenance (D24 2)

Screen 1

  • Passwords are no longer displayed
  • User is disabled if Last Accessed Date is more than a specified number of days
  • User is deleted if last access date is more than a specified number of days.
  • Days Since Login setting added.

Screen 2

The password field has been removed.

Changes to the Global Settings (D24 1)

The following screen was added to allow you to maintain security and password functionality.

Setting Description
Expiration Interval to Disable Session-Id (in minutes)

Enter, in minutes, the time DECOR 24 will stay active when not being used. After the set time has elapsed, the DECOR 24 session will end and the user will have to log back in.

If this setting is left blank, the Decor 24 session has to ended manually.
Allow Multiple Sessions per User

When a user logs into and starts using Decor 24, the user name and a "session number" are validated by Decor 24. This combination of the validated user name and session number are required to use the Decor 24 web services.

If the setting is activated:

  • User will be able to sign into multiple sessions using the same login
  • The shopping cart is user specific and is shared by all active sessions
  • The session that checks out will include all the items in the shopping cart when they check-out their order.
  • After check-out the shopping cart is empty in all other sessions.
  • If one session changes the default Account#, then all other open sessions will adhere to that change. The other sessions might need to refresh their views to see the change.

If the setting is not activated:

  • Decor 24 will restrict users from signing into multiple sessions using the same User ID.
  • Users of Decor 24 webservices are blocked from accessing the services if there is an active Decor 24 session for that User ID.
REGEX for Password Validation

Regular Expression (REGEX) passwords use a sequence of characters that define a search pattern.

The following examples show how the REGEX code is used. The part of the example REGEX statement that pertains to the parameter is shown in italics.

Example 1

REGEX: (?=.*[0-9]+.*)(?=.*[A-Z]+.*)[0-9A-Z]{6,}$

  • Must contain at least one number ...[0-9]
  • at least one uppercase letter ...[A-Z]
  • consist only of uppercase letters and numbers ...[0-9A-Z]
  • be longer than 6 characters ...{6,}

Matches: A1B2C3 | ABCDEFG123 | 12345A

Non-matches: abcdefghij | 1234567890

Example 2

REGEX: ^(?=[^\d_].*?\d)\w(\w|[!@#$%]){7,20}

  • Must be 8 to 20 alphanumeric characters {7,20}
  • select special characters: ...!@#$% [!@#$%])
  • Can not start with a digit, underscore or special character but must contain at least one digit...[^\d_].*?\d)\w

Matches: Password1 | pa$$WORD2 | pa!@#$%3D

Non-Matches: Password | 1stPassword | $Password#

For more information on REGEX statements refer to https://en.wikipedia.org/wiki/Regular_expression.

 

DISABLE D24 User when inactive for more than___days

DELETE D24 User when inactive for more than___days

A user is either Disabled (active status is set to N) or Deleted if the Last Accessed Date Time is equal to (or greater than in the case of existing records) the number of days entered here.

If a value is not entered the setting will be ignored.
Admin E-mail Address Enter the Email address where the spooled file output containing the Disabled and Deleted users is sent.