Display a Message in FCC After a Wrong Login Attempt

Document ID : KB000115141
Last Modified Date : 17/09/2018
Show Technical Document Details
Question:
I am currently working on displaying an error message on an incorrect login attempt. 

Therefore I tried using the $$smauthreason$$ in JavaScript in the login.fcc. 

Unfortunately, it does not work as smauthreason is not given so that a potential attacker will not know the reason for the failed 

How can I achieve to display this custom message on a wrong login attempt directly inside the FCC ? 
Answer:
Since Authentication and Authorization are decoupled in the framework, the problem has been addressed in 2 parts:

-    Message for failed authentications:

In this case, we have used “unauth” pages: after a number of attempts, the code of the alternative page is rendered to the client (the URL will not change, thus no redirection is implied). 
In order to show a message for failed logins, the setup is pretty straightforward; you can proceed as follows:
 
1.    Set the directive “@smretries=1” (default is “0”) in the login.fcc; 
This controls how many authentication attempts will be done using the login.fcc before showing the content of the login.unauth file
Setting this to “1” will display the “plain” login.fcc only for the first attempt

2.    Make a copy of the “login.fcc” page and rename it as “login.unauth” in the same folder (for other pages, use the same name changing extension. E.g. mobile.fcc will become mobile.unauth)

3.    Add some code in the login.unauth to display a message to the client
You can add a message directly in the page, like e.g. “<h3> Authentication failed </h3>”
 
In this way, clients could do authentication even after the first attempt, using the form rendered by the unauth page (login attempts are also controlled by Password Policies, this is only “cosmetic”); the only difference between pages is that when the “unauth” is used it will show the message

-    Message for unauthorized users:

The default behavior in this case is to redirect users to the authentication FCC page.
This can happen both after authentication or while accessing in single sign-on; the check is done when the client is trying to access to the resource, if not authorized the client will be redirected to the FCC (default behavior)

We have set a cookie using a global response (e.g. “LOGINERROR”), bound to the “OnAccessReject” event
When the user is redirected to the FCC, the cookie content is rendered in the page by the WebAgent using a macro (in the previous example, “$$LOGINERROR$$” will expand to the content of the cookie). A message is shown accordingly to this cookie content