Preventing Account Creation Spam in Aeon

Print Friendly and PDF Follow

By default, all Aeon installations are set up with standard Aeon authentication. This type of authentication allows anyone with access to the New User Registration web form (NewUserRegistration.html) to register for a new account, choose a username and password, and then use that username and password to immediately log into the Aeon web interface. As standard Aeon authentication does not verify user information against any external system upon registration or login before creating the user's account, you may experience periods of bot-driven automatic account creation spam wherein bots use the New User Registration form to create a large number of accounts in a short period of time. 

The release of Aeon Server 5.1.16 and Aeon Server 5.2.4 includes several new options for preventing excessive new user account creation spam on the New User Registration form. This article will detail these options and how to configure them for your Aeon installation after updating.

Option 1: Add Captcha Requirement to the New User Registration Form

The captcha requirement is only supported for use on the New User Registration form (NewUserRegistration.html) and cannot be added to other Aeon web forms, such as the default request forms.

Extra security against spam account creation can be provided by adding a captcha requirement to the New User Registration form (NewUserRegistration.html). Once added, users will need to solve the captcha requirement to submit the form and create their Aeon account, which will prevent bot-driven account creation spam. To add the captcha requirement, Aeon must be configured to integrate with one of three supported third-party captcha providers. Once a provider is selected, your institution will need to create an account with that provider and use the account details to configure the captcha integration in the Aeon Customization Manager. The following third-party captcha providers and plans are supported by Aeon:

  • Google reCAPTCHA: The reCAPTCHA v2 (both the "invisible" and "checkbox" variants) and reCAPTCHA v3 are supported options
    • Note that reCAPTCHA Enterprise is not supported by Aeon

    Due to a Google bug, HTML5 validation configured on the New User Registration form will no longer properly display the tooltips notifying the user of any missing/invalid information that is preventing the submission of the form when using the "invisible" reCAPTCHA v2 variant. Users may also experience a delay before they are allowed to re-submit the form after their first invalid form submission.
  • hCaptcha: The free "Publisher" plan is supported
  • MTCaptcha: The free plan is supported
Note that only the free captcha account options offered by the captcha providers listed above are supported by Aeon at this time. Atlas Systems cannot guarantee support for any of the paid account options from these providers. Certain limits may apply based on the provider selected. Please review each provider's documentation for complete details.

Accessibility Information

For complete details on the accessibility features offered by each captcha provider, please see the captcha provider's documentation:

Configuration Overview

After choosing a captcha provider and plan, the captcha requirement can be added to the New User Registration form following the steps below (click each step to view each process in more detail):

  1. Creating an account with the captcha provider of your choice
  2. Configuring the captcha customization keys in the Aeon Customization Manager
  3. Updating your web pages to add the new captcha web page files and to update NewUserRegistration.html to include the new captcha field

1. Create a Captcha Account

Before a captcha integration can be configured for Aeon, you must first create an account with one of the three supported third-party captcha providers. After creating the account, you will use the account information to configure your captcha integration in the Customization Manager. Note that only the free plans offered by each captcha provider are supported by Aeon at this time. See each provider's section below for more detailed instructions on how to create your account.

Google reCAPTCHA | hCaptcha | MTCaptcha

Google reCAPTCHA

To create a Google reCAPTCHA account:

  1. Visit https://www.google.com/recaptcha/about/ and optionally review the listed features for reCAPTCHA v2 and reCAPTCHA v3 on this page to decide which option to use for your captcha requirement on the user registration form. For more information, see the reCAPTCHA documentation.

    reCAPTCHA Enterprise is not supported by Aeon at this time.
  2. Click v3 Admin Console at the top of the page when you are ready to create an account. You will be asked to sign-in/create a Google account before beginning the reCAPTCHA sign-up process if you are not already signed in to Google.
  3. Under Label, enter a label or name to use to identify your account.
  4. Under reCAPTCHA type, select either the reCAPTCHA v3 or reCAPTCHA v2 option
    • If reCAPTCHA v2 is selected, you must then select either the "'I'm not a robot' checkbox" or the "invisible reCAPTCHA badge" variant
  5. Under Domains, type the domain of the server that hosts your Aeon web pages (e.g., https://<your.AeonWeb.domain>/)
  6. Click the plus sign (+) to add the domain
  7. Agree to the terms and conditions and click Submit to create the account
  8. Once registration is completed, you will be shown a page containing the Site Key and Secret Key values associated with your new account. Save these values as they will be used to configure the CaptchaSiteId and CaptchaSecret customization keys in the Aeon Customization Manager during the next step of the configuration process.

hCaptcha

To create an hCaptcha account:

  1. Visit https://www.hcaptcha.com
  2. Click the Sign-Up button to begin the account creation process
  3. Click the Add hCaptcha to your service (free) option
  4. Follow the prompts to register for a free account
  5. Once registration is completed, you will be shown a page containing the Sitekey and Secret values associated with your new account. Save these values as they will be used to configure the CaptchaSiteId and CaptchaSecret customization keys in the Aeon Customization Manager during the next step of the configuration process.

MTCaptcha

To create an MTCaptcha account:

  1. Visit https://www.mtcaptcha.com 
  2. Click the Free Account button to begin the account creation process
  3. Follow the prompts to register for an account. When prompted for the Domain Name, type the domain of the server that hosts your Aeon web pages (e.g., https://<your.AeonWeb.domain>/)
  4. Once registration is completed, you will be shown a page containing the Site Key and Private Key values associated with your new account. Save these values as they will be used to configure the CaptchaSiteId and CaptchaSecret customization keys in the Aeon Customization Manager during the next step of the configuration process.

2. Configure Captcha Customization Keys

Once your captcha account is created using one of the providers above, you will then need to use information from the captcha account to configure a series of customization keys in the Aeon Customization Manager (all keys are located under System | System):

  • CaptchaProvider: Enter one of the following options exactly as shown below based on the captcha provider and plan you selected:
    • reCaptcha_v2_Checkbox
    • reCaptcha_v2_Invisible
    • reCaptcha_v3
    • hCaptcha
    • MTCaptcha
  • CaptchaSecret: Enter the Private Key (MTCaptcha)/Secret Key (reCAPTCHA)/Secret (hCaptcha) value associated with your captcha account. 
  • CaptchaSiteId: Enter the Site Key value associated with your captcha account.

Next, optionally review and modify the status line text that will appear on the Aeon web interface if a user fails the captcha challenge on the user registration form:

  • SLCaptchaFailure (located under Web Interface | Status Lines)

3. Edit Web Pages

After the new customization keys have been configured, follow the instructions below to update your web pages and add the captcha requirement to NewUserRegistration.html:

The captcha requirement is only supported for use on the New User Registration form (NewUserRegistration.html) and cannot be added to other Aeon web forms, such as the default request forms.
  1. Visit the Aeon Downloads page and download the latest version of the Aeon 5.1/5.2 Default Web Pages
  2. Unzip the downloaded zip file containing the new web page files
  3. Navigate into the folder containing the new web page files
  4. Navigate into the templates subfolder
  5. Copy the captcha subfolder and add this entire folder as a new subfolder within the templates folder in your Aeon web directory (in GitHub or at the default location on the Aeon server: C:\Program Files (x86)\Aeon\Web\templates). This folder contains the following files, please ensure that the entire folder containing these files is added to your web directory:
    • include_captcha_none.html
    • include_hcaptcha.html
    • include_mtcaptcha.html
    • include_recaptcha_v2_checkbox.html
    • include_recaptcha_v2_invisible.html
    • include_recaptcha_v3.html
  6. Locate and make the following changes to the NewUserRegistration.html file in your Aeon web directory:

    Change this (default line 20):

    <form action="aeon.dll"   
    method="post" name="Registration">
     

    To this:

    <form action="aeon.dll" id="registration-form" 
    method="post" name="Registration">

    And change this (default line 308):

    <button class="btn btn-primary btn-md" 
    type="submit" name="SubmitButton"
    value="Submit Information">
    Submit Information</button>
     

    To this:

     
     
     
    <#CAPTCHA>
  7. Save your changes
  8. The captcha challenge requirement is now implemented on the New User Registration form. View and test the new captcha requirement on the form to ensure the integration has been properly configured.

Option 2: Disable New User Registration for Accounts Using Standard Aeon Authentication

This option should not be chosen if you want to continue to allow users to create Aeon accounts through standard Aeon authentication (AeonAuth) from the New User Registration form or if you only allow users to register for accounts through this process.

User registration can be completely disabled for accounts created through standard Aeon authentication (AeonAuth) from the New User Registration form (NewUserRegistration.html) using the AeonAuthUserRegistrationEnabled customization key. This option will prevent the creation of spam accounts by completely blocking account creation for users who are not pre-authorized for an Aeon account via an Aeon Exclusive, LDAP, PatronAPI, or Remote Authentication configuration.

After disabling user registration for new AeonAuth accounts, the New User Registration form will still be accessible to users on the web interface. However, when these users attempt to submit the form to register for a new account, the form will not be submitted and the SLUserRegistrationDisabled status line will display to indicate that user registration has been disabled and to contact staff for assistance.

When AeonAuth user registration is disabled, this will only disable self-registration for these users from the New User Registration form on the Aeon web pages. Staff will still be able to manually create new user accounts from the Aeon Client for these users, if necessary or preferred. 
Note: The AeonAuthUserRegistrationEnabled key will only enable/disable user registration from your production Aeon web pages and will not affect your TestWeb web pages. After updating to Aeon Server 5.1.16/5.2.4, users will not be able to register for an Aeon account using any authentication type from the TestWeb pages by default. This option is not configurable. 

Configuration Steps

To use the AeonAuthUserRegistrationEnabled customization key to disable new user registration for accounts created via standard Aeon authentication (AeonAuth):

  1. Open the Aeon Customization Manager
  2. Navigate to the AeonAuthUserRegistrationEnabled customization key located under System | System
  3. Set the value of this key to No
  4. Click Save to save your changes
  5. User registration is now disabled for standard Aeon accounts created through the New User Registration form
Note that users who are pre-authorized for account creation via an Aeon Exclusive, LDAP, PatronAPI, or Remote Authentication (RemoteAuth) integration will not be affected by configuring the AeonAuthUserRegistrationEnabled key to disable new user registration. These users will continue to be permitted to create Aeon accounts following the usual account creation process.

Questions?

If this article didn’t resolve your issue, please contact Atlas Support for assistance:

Contact Support