By default, all Aeon installations are set up with standard Aeon authentication. This type of authentication allows anyone with access to the New User Registration web form (NewUserRegistration.html) to register for a new account, choose a username and password, and then use that username and password to immediately log into the Aeon web interface. As standard Aeon authentication does not verify user information against any external system upon registration or login before creating the user's account, you may experience periods of bot-driven automatic account creation spam wherein bots use the New User Registration form to create a large number of accounts in a short period of time.
The release of Aeon Server 5.1.16 and Aeon Server 5.2.4 includes several new options for preventing excessive new user account creation spam on the New User Registration form. This article will detail these options and how to configure them for your Aeon installation after updating.
Option 1: Add Captcha Requirement to the New User Registration Form
Extra security against spam account creation can be provided by adding a captcha requirement to the New User Registration form (NewUserRegistration.html). Once added, users will need to solve the captcha requirement to submit the form and create their Aeon account, which will prevent bot-driven account creation spam. To add the captcha requirement, Aeon must be configured to integrate with one of three supported third-party captcha providers. Once a provider is selected, your institution will need to create an account with that provider and use the account details to configure the captcha integration in the Aeon Customization Manager. The following third-party captcha providers and plans are supported by Aeon:
- Google reCAPTCHA: The reCAPTCHA v2 (both the "invisible" and "checkbox" variants) and reCAPTCHA v3 are supported options
Due to a Google bug, HTML5 validation configured on the New User Registration form will no longer properly display the tooltips notifying the user of any missing/invalid information that is preventing the submission of the form when using the "invisible" reCAPTCHA v2 variant. Users may also experience a delay before they are allowed to re-submit the form after their first invalid form submission.
Note that reCAPTCHA Enterprise is not supported by Aeon
- hCaptcha: The free "Publisher" plan is supported
- MTCaptcha: The free plan is supported
For complete details on the accessibility features offered by each captcha provider, please see the captcha provider's documentation:
After choosing a captcha provider and plan, the captcha requirement can be added to the New User Registration form following the steps below (click each step to view each process in more detail):
- Creating an account with the captcha provider of your choice
- Configuring the captcha customization keys in the Aeon Customization Manager
- Updating your web pages to add the new captcha web page files and to update NewUserRegistration.html to include the new captcha field
1. Create a Captcha Account
Before a captcha integration can be configured for Aeon, you must first create an account with one of the three supported third-party captcha providers. After creating the account, you will use the account information to configure your captcha integration in the Customization Manager. Note that only the free plans offered by each captcha provider are supported by Aeon at this time. See each provider's section below for more detailed instructions on how to create your account.
To create a Google reCAPTCHA account:
Visit https://www.google.com/recaptcha/about/ and optionally review the listed features for reCAPTCHA v2 and reCAPTCHA v3 on this page to decide which option to use for your captcha requirement on the user registration form. For more information, see the reCAPTCHA documentation.reCAPTCHA Enterprise is not supported by Aeon at this time.
- Click v3 Admin Console at the top of the page when you are ready to create an account. You will be asked to sign-in/create a Google account before beginning the reCAPTCHA sign-up process if you are not already signed in to Google.
- Under Label, enter a label or name to use to identify your account.
- Under reCAPTCHA type, select either the reCAPTCHA v3 or reCAPTCHA v2 option
- If reCAPTCHA v2 is selected, you must then select either the "'I'm not a robot' checkbox" or the "invisible reCAPTCHA badge" variant
- Under Domains, type the domain of the server that hosts your Aeon web pages (e.g., https://<your.AeonWeb.domain>/)
- Click the plus sign (+) to add the domain
- Agree to the terms and conditions and click Submit to create the account
- Once registration is completed, you will be shown a page containing the Site Key and Secret Key values associated with your new account. Save these values as they will be used to configure the CaptchaSiteId and CaptchaSecret customization keys in the Aeon Customization Manager during the next step of the configuration process.
To create an hCaptcha account:
- Visit https://www.hcaptcha.com
- Click the Sign-Up button to begin the account creation process
- Click the Add hCaptcha to your service (free) option
- Follow the prompts to register for a free account
- Once registration is completed, you will be shown a page containing the Sitekey and Secret values associated with your new account. Save these values as they will be used to configure the CaptchaSiteId and CaptchaSecret customization keys in the Aeon Customization Manager during the next step of the configuration process.
To create an MTCaptcha account:
- Visit https://www.mtcaptcha.com
- Click the Free Account button to begin the account creation process
- Follow the prompts to register for an account. When prompted for the Domain Name, type the domain of the server that hosts your Aeon web pages (e.g., https://<your.AeonWeb.domain>/)
- Once registration is completed, you will be shown a page containing the Site Key and Private Key values associated with your new account. Save these values as they will be used to configure the CaptchaSiteId and CaptchaSecret customization keys in the Aeon Customization Manager during the next step of the configuration process.
2. Configure Captcha Customization Keys
Once your captcha account is created using one of the providers above, you will then need to use information from the captcha account to configure a series of customization keys in the Aeon Customization Manager (all keys are located under System | System):
- CaptchaProvider: Enter one of the following options exactly as shown below based on the captcha provider and plan you selected:
- CaptchaSecret: Enter the Private Key (MTCaptcha)/Secret Key (reCAPTCHA)/Secret (hCaptcha) value associated with your captcha account.
- CaptchaSiteId: Enter the Site Key value associated with your captcha account.
Next, optionally review and modify the status line text that will appear on the Aeon web interface if a user fails the captcha challenge on the user registration form:
- SLCaptchaFailure (located under Web Interface | Status Lines)
3. Edit Web Pages
After the new customization keys have been configured, follow the instructions below to update your web pages and add the captcha requirement to NewUserRegistration.html:
- Visit the Aeon Downloads page and download the latest version of the Aeon 5.1/5.2 Default Web Pages
- Unzip the downloaded zip file containing the new web page files
- Navigate into the folder containing the new web page files
- Navigate into the templates subfolder
- Copy the captcha subfolder and add this entire folder as a new subfolder within the templates folder in your Aeon web directory (in GitHub or at the default location on the Aeon server: C:\Program Files (x86)\Aeon\Web\templates). This folder contains the following files, please ensure that the entire folder containing these files is added to your web directory:
Locate and make the following changes to the NewUserRegistration.html file in your Aeon web directory:
Change this (default line 20):
<form action="aeon.dll" id="registration-form"
And change this (default line 308):
<button class="btn btn-primary btn-md"
- Save your changes
- The captcha challenge requirement is now implemented on the New User Registration form. View and test the new captcha requirement on the form to ensure the integration has been properly configured.
Option 2: Disable New User Registration for Accounts Using Standard Aeon Authentication
User registration can be completely disabled for accounts created through standard Aeon authentication (AeonAuth) from the New User Registration form (NewUserRegistration.html) using the AeonAuthUserRegistrationEnabled customization key. This option will prevent the creation of spam accounts by completely blocking account creation for users who are not pre-authorized for an Aeon account via an Aeon Exclusive, LDAP, PatronAPI, or Remote Authentication configuration.
After disabling user registration for new AeonAuth accounts, the New User Registration form will still be accessible to users on the web interface. However, when these users attempt to submit the form to register for a new account, the form will not be submitted and the SLUserRegistrationDisabled status line will display to indicate that user registration has been disabled and to contact staff for assistance.
To use the AeonAuthUserRegistrationEnabled customization key to disable new user registration for accounts created via standard Aeon authentication (AeonAuth):
- Open the Aeon Customization Manager
- Navigate to the AeonAuthUserRegistrationEnabled customization key located under System | System
- Set the value of this key to No
- Click Save to save your changes
- User registration is now disabled for standard Aeon accounts created through the New User Registration form