Optimizely Configured Commerce offers several options to control the specifics of timeouts and passwords. These settings are located in the Admin Console: Administration > Settings.
Timeout settings
Search for Site Timeout Minutes to adjust the timeout period for website users. Enter the number of minutes of user inactivity after which they are signed out and must sign back in. (Requires website restart). Default value: 15
In the Admin Console, users receive a notification after 12 minutes of inactivity. After 15 minutes, they are logged out and redirected to the login page. When they sign in again, they return to where they left off.
You cannot modify the timeout period for Admin users due to PCI compliance implications.
PA-DSS compliance
PA-DSS requires a timeout of 20 minutes or less. If you accept credit card transactions, you should not override this setting in the Admin Console. Because some clients do not take credit cards as payment and rely on purchase orders, it may be necessary to adjust the time settings. However, changing timeout settings could possibly cause a site or environment to fall out of compliance with security standards such as PA-DSS.
Lockout settings
Search for Lockout Time in Minutes. By default, this setting is enabled for both Console Security and Website Security to lock out users who fail to log in successfully after a certain number of attempts.
You can set the Max Failed Attempts Before Lockout and Lockout Time in Minutes. By default, users who make five sequential failed login attempts are locked out for ten minutes. Afterward, the user has five more attempts to login. If those fail, the user is locked out for ten minutes again. This cycle repeats until they successfully log in.
Password expiration
Passwords for website users do not expire. The password expires after 90 days for users with the roles ISC_Admin, ISC_System, or ISC_Integration. This expiration is set in the code and is not configurable.
Please sign in to leave a comment.