Solved Validate UN & PW before passing through to new url

June 28, 2018 at 23:44:00
Specs: All
In my organization, we need all employees to have access to a learning portal. However, we don't want hourly employees to access this learning portal off-site or outside of their scheduled shift.

The portal requires 3 items to successfully login:
1. Organization Code
2. Employee ID
3. Unique PW

To help prevent hourly associates from logging into the portal we've created a custom login page that lives on our internal server and in building it masked the Organization Code from their view.

All is working great... except when they don't use the correct password. When they enter an incorrect PW they are still routed to the learning portal where they receive a message that says they've entered wrong login information. This exposes the Organization Code to them as well as true login URL for the portal which they can then use to login when and where they please.

How do I prevent our custom login page from moving forward when they password is wrong?

(Note: I don't have access to a list of everyone's passwords.)


See More: Validate UN & PW before passing through to new url

Reply ↓  Report •

#1
July 4, 2018 at 13:29:08
✔ Best Answer
You'll need to find out if the login process exposes an API for verifying logins (which I think is pretty unlikely, because that would potentially be a nice big security hole). If it does, it will be a case of doing something like this in your custom login page:

retval = function_that_verifies_logins(orgcode, username, password)
if retval == good_login {
  load_url(welcome_screen)
} else {
  load_url(login_failure_screen)
}

(Why don't you want the employees to know the organization code?)

Alternately, you could see if the portal offers a way to track the times employees were active, and tell employees "don't go off shift or you're fired" (or whatever). That would (obviously) require someone to monitor employee use.


Reply ↓  Report •
Related Solutions


Ask Question