Optimizely Configured Commerce has two groups of users: console users and website (storefront) users. Console users can only access the Admin Console and have roles starting with ISC_. Website users can only access the storefront, and you can assign them to customers and websites. See Get started with users for information.
Personal information
The only required fields are username and email address, but you can add additional information. What information is stored about the user depends on how the user was created. The customer record stores detailed information from new customers; however, the user record stores fields such as email subscriptions.
Role-based security
Configured Commerce uses role-based security. Some roles may prevent users from accessing certain functions in the Admin Console or storefront. You can also change or reset passwords and unlock users.
The ISC_User role cannot access search configuration pages, including Synonyms, Stopwords, Term Redirects, and Boosts, and cannot invoke job export, import, or integration job cancellation endpoints.
Require website account activation by email
You can add security by requiring website users to activate their accounts by email. The activation email contains information for users to activate their accounts and set their passwords.
This feature is available out-of-the-box for Spire and can be done through customizations with Classic.
- Go to Administration > Settings.
- Search for Require Activate Account (located under Account Management).
- Toggle the option to Yes. Default: No
This option removes the password fields and password requirements from the Create Account page.
The user must enter an email address and user name. When they click Create, they receive an email to activate their account. After following the instructions, a confirmation displays that their account has been activate and lets them start shopping with their account.
If the link expires in the activation email, they can select to resend the activation.
Passwords
To maintain PA-DSS compliance, passwords must meet the following requirements set in the Admin Console. Go to the Administration > Settings > Console Security and Website Security sections:
- Password Minimum Requirement Length – 8
- Password Requires Special Character – Yes
- Password Requires Uppercase – Yes
- Password Requires Lowercase – Yes
- Password Requires Digit – Yes
- Lockout Enabled – Yes
- Max Failed Attempts Before Lockout – 5
- Lockout Time in Minutes – 10
PA-DSS also requires that admin user passwords expire at least every 90 days and that the system tracks when user passwords are changed. New passwords must be different from the user's last four passwords. See Manage passwords for information.
The Spire sign-in and password reset flows validate the returnUrl query parameter. Absolute URLs, protocol-relative URLs, and URLs containing line-break or null control characters are rejected and fall back to the home page.
Maintain a user's session
Configured Commerce lets you control how long to maintain a user's session.
Remember Me lets users access certain content on the website without repeatedly signing in unless they visit from a different browser or device. If they sign out from the site, they must re-authenticate, including when accessing their account pages or completing checkout.
The following is true for users who have selected the Remember Me checkbox, are returning to the site using the same browser or device, and are within the defined number of days allowed per session:
- Users can see all pricing and availability, the cart, and any wishlists as if they were signed into the website.
- Pricing is calculated based on the user's default bill to/ship to address. If no default bill to/ship to exists, the system calculates prices based on the last selected address.
- If you do not enable additional pages to be remembered, users must re-authenticate to access addresses, account settings, user administration, budget management, invoice history, job quotes, order history, order approval, requisitions, quote history, saved orders, or checkout.
Keep Me Signed In maintains user sessions like Remember Me and includes retaining the user's session when they access their account pages or complete checkout. When you enable this feature, user sessions are kept active, without limitations, for the number of days defined by Days To Retain User.
Follow these steps to enable Remember Me or Keep Me Signed in:
- Go to Administration > Settings > Account Management.
- Expand the Remember Me / Keep Me Signed In drop-down list under Website Security and select Remember Me or Keep Me Signed In.
- Adjust the Days To Retain User field value if desired. The default is 30 days.
- (Optional) Select the additional Pages To Be Remembered if you selected Remember Me. The default page remembered with this feature is My Lists. To include additional pages, click Select Pages, select the desired pages, and click Save. All pages that you select include their subpages.
Follow these steps to disable these features:
- Go to Administration > Settings > Account Management.
- Expand the Remember Me / Keep Me Signed In drop-down list under Website Security and select Not Applicable.
The system tracks user activity separately from authentication state. User activity is recorded periodically based on interactions with the website. This tracking helps ensure that features relying on user activity, such as inactivity-based processes, reflect actual usage rather than only login events.
Authentication settings
Authentication cookie domain – Controls how the authentication cookie is scoped across domains.
When configured, the authentication cookie is scoped to the specified domain suffix instead of the exact request host. This allows users to remain signed in across multiple subdomains.
If not configured, the authentication cookie is scoped to the exact request host.
This setting is website-specific, requires an application restart, and is editable only by users in the ISC_System and ISC_Implementer roles.
Custom properties
Custom property fields are available to facilitate implementation-specific, custom functionality. These can be found within the Application Dictionary.
Please sign in to leave a comment.