Documentation

App User Login and Security

This document outlines security settings for managing user logins, access control, and authentication in your application.

What You'll Learn

You'll discover how to properly configure user authentication for your application, implement appropriate access controls for different user roles, and set up security measures like password requirements and brute force protection to keep your data secure while maintaining a good user experience.

Activating Users

To activate user and login features, select the User Logins section while viewing the App Settings from the left side menu.

Tip: New apps have users activated by default.


Important Security Note: Most apps require different user roles (like Employees, Supervisors, Teachers, and Students) with varying access levels. For this reason, we recommend using the default page-specific login protection, which lets you control exactly what each role can access.

Live App Page Access

userloginsettings2

Secure individual pages with a login (Page-Specific Login Protection):

  • Recommended and enabled by default
  • Create multiple user roles
  • Control access permissions for individual pages
  • Offers the most flexibility for managing user access
userloginsoptions

Secure individual pages with the same login (Global Login Protection):

  • Only allows for one user type login and is less flexible
  • Applies one login screen across all pages
  • Less customizable than page-specific protection

Do not require a login to access your application (Open Access):

  • Not recommended for security reasons.
    • Instead, we recommend not requiring/removing login requirements from specific pages to create publicly accessible pages.
  • No login required
  • Anyone with the URL can access your app

❗️

Login settings are foundational to your app's structure. Changing this selection after you have set up protected pages will cause unrecoverable breaking changes to your app.

If you want to test out a different setting, please do so in an app copy.

User Login Security Settings

Main Navigation

Show users only what they're authorized to access by displaying navigation links selectively.

  • Only show links to pages the user has access to

Tip: Do not select this if you plan to allow users to request access to protected pages. Instead, choose page-specific visibility.

Inactivity

Protect your app by automatically logging out inactive users from both the Live App and Builder. This security measure helps prevent unauthorized access when users forget to log out or leave their session unattended.

  • Automatic inactivity logout. This setting applies to users in the Builder and the Live App.

Customizing Inactivity Settings

Adjust your app's auto-logout behavior with these options:

  1. Timeout Duration Choose from 1, 5, 10, 30, or 60 minutes of inactivity.
  2. Warning Message Create a custom notification that appears one minute before logout. This message alerts users to take action if they want to maintain their session.

Important Notes:

  • Enabling auto-logout automatically disables the "Remember Me" feature on login pages, as it would conflict with the inactivity timer.
  • All changes must be saved using the "Save Settings" button at the bottom of the page.

Example Warning Message: "Your session is about to expire due to inactivity. Please take action to stay logged in."

Passwords

Password Requirements

Strengthen your app's security by implementing robust password policies. These settings become available in the Builder's Settings section under User Logins after enabling user authentication.

Available Password Rules

  • Minimum 8 characters
  • Prohibit common passwords
  • Require at least 1 number
  • Require at least 1 special character
  • Require at least 1 uppercase letter
  • Require at least 1 lowercase letter

Additional Security Options

  • 60-day password expiration (customizable message)
  • Prevent reuse of last 3 passwords (customizable message)

Password requirements are not selected by default. Enable your chosen requirements by checking the corresponding boxes.

Brute Force Protection

Defend against automated password-guessing attacks with customizable failed login settings.

Failed Login Settings:

  • Failed Attempts: Choose 3, 5, or 10 attempts
  • Time Window: Set to 1, 5, 15, or 60 minutes
  • Lockout Duration: Select 5, 15, or 60 minutes, 1 day, or permanently
  • Custom Lockout Message: Display personalized text to locked users

Account Recovery Options

  • Enable password reset requests for locked accounts
  • Automated lockout notification emails
  • Customizable email messages and reset instructions

Notes:

  • Lockouts change the user's account status to "locked" in the "All Users" data table in the Builder. Accounts can be unlocked through:
    • Administrator-initiated password reset email
    • User-initiated password reset (if enabled) via the "forgot?" link
  • Remember to click "Save Settings" after making any changes.

user login security settings

Updated 18 days ago