Important Update Information
Release Date: 20 May 2019
To keep up-to-date with the latest Payment Card Industry (PCI) security requirements, the 4.1 update features enhanced password security methods to include the following:
- User & Staff Password Expiration
- Staff Account Lock after Failed Login Attempts
- Staff Unique Password Requirements
- Encryption for Stored Passwords
- And many more...
Considerations Before You Update
This does not affect Patron users whose authType is set to Default on their user record and the WebAuthType customization key is either set to LDAP or RemoteAuth. This includes Shibboleth users.
For any questions on the Aeon 4.1 features & fixes, please see the Aeon 4.1 PCI Release FAQ. For all other questions, please contact support at email@example.com.
Additional information on PCI security requirements and recommendations can be found at: https://www.pcisecuritystandards.org/.
Aeon 4.1 Features & Fixes
Passwords are no longer stored on the web server logs due to the new process of redacting sensitive information. If a user's session expires while they are changing their password and they attempt to log back using the same formstate, the user will need to re-enter their passwords to complete the change password process.
The StaffPreviousPasswordCount, customization key has been added to check the new password against a configurable number (default value: 4) of previous passwords for uniqueness when a staff user is changing his/her password. This will prevent staff users from reusing a previous password or rotating through similar passwords.
|New||The WebPasswordHashingIterations and StaffPasswordHashingIterations customization keys have been added to set the number of hash iterations (default value: 156,000 iterations) when storing a password. All passwords will now utilize the Password-Based Key Derivation Function 2 (PBKDF2) hashing strategies. For more information, see the Password table in the Aeon Customization Keys article.|
The StaffLoginAttemptsBeforeLock, customization key has been added to set a maximum number (default value: 6 attempts) of failed login attempts before a staff account is locked out. A locked account can't be used until the password is reset by another staff member with access to the Staff Manager.
|New||The UserPasswordExpirationEnabled (default value: yes) and UserPasswordExpirationDays (default value: 180 days) customization keys have been added to enable user password expiration and set default dates for expiration.|
|New||The StaffPasswordExpirationDays (default value:180 days) customization key has been added to set the number of days before a password expires for a Staff member.|
|New||The SLUserPasswordExpired status line customization key has been added to appear if a user attempts to login with an expired password. The default verbiage is set to say "Your password is expired. Please update your password.".|
|New||The Customization Manager and the Staff Manager now include a Change Password button on the ribbon under the main drop-down menu allowing for the user to change their own password.|
|New||A Force Reset checkbox has been added to the Staff Manager's change password form for a selected user. When checked, the force reset will prompt the Staff member to reset their password upon attempting to login. This allows a staff member to force their own password reset.|
|New||A Force Reset checkbox has been added to the Client's change password form generated on the FormUserInfo. When checked, the force reset will prompt the user to reset their password upon attempting to login.|
|New||The autocompletion feature has been disabled on all password fields in the default pages. This prevents the fields from storing and prepopulating secure information such as passwords.|
|Changed||The Customization value fields have been increased from 255 characters to 1000 characters for existing values.
The ValueChangedFrom and ValueChangedTo were also changed from 255 to 1000 characters for new values.
|Changed||The Description field in the Customization table has increased to be a nvarchar(max) to allow for longer customization key descriptions.|
|Changed||Added support for Cybersource (www.cybersource.com/) as a payment gateway option for Aeon web servers. For instructions on configuration, see CyberSource Configuration. Additional information can be found on the CyberSource website at Secure Acceptance Hosted Checkout.|
|Changed||The System Manager will check the Atlas servers for new client releases 10 seconds after startup, after which it will resume the behavior of only checking once every 15 minutes. The default interval at which updates are checked can be customized in the SystemManager.exe.config file by editing the value of the UpdateServiceInterval setting.|
|Fixed||Increased system verification requirements used when creating active user web sessions for remote auth users.|
|New||AtlasBI will lock out after a configurable number of failed login attempts. This value matches what is set in the StaffPreviousPasswordCount Customization Key.|
|New||Aeon Web API has a new endpoint added for marking requests as reshelved by barcode. For additional information, see Aeon API.|
|Change||JQuery which is used to build the Aeon default web pages has been updated to version 1.12.4. A new set of default webpages will be automatically installed during the update to accommodate the updated version.|