Story - new functionality #6
openEpic - New Feature #3: LSM - User acounts & login
LSM - User Login / Logout and Session Management
Description
User must be able to login to and logout from the LSM platform.
The Login procedure must use following steps:
- User enters user-id (email address); check valid email address format on input
- System checks if User's email exists and if the User Account is active; in case of errors a matching notification will be sent to the screen
- A link containing a unique session key is sent to the (existing) User's email
- User clicks on the link in the email and is redirected back to the LSM platform
- User is logged in automatically and can use the platform's services
Error-messages:
- if no User Account exists for the submitted email address, the following notification is presented:
"No user account exists for email address [email_address]" - if User Account for the submitted email address is not active, the following notification is presented:
"This user account ([email_address]) is currently not activated. Please contact your administrator for support."
Logging:
Attempts to login (failed and successful) must be recorded in a logbook.
Datetime of the last successful login is presented on the screen (after user logged in).
Session-management:
Users may stay logged in to the system after the successfully logged in.
Users must be logged in automatically during 1 week (configurable) after the last successful login.
So the Session-key is valid for 1 week after successful login
After each successful login the SessionKey is refreshed.
Session Keys must be of type UUID to eliminate chances of replay attacks and session hijack.