This article covers a Hippo CMS version 7.8. There's an updated version available that covers our most recent release.

Configuring the CMS login page 


The login page of Hippo CMS can be configured with several options. This page discusses how and when to use these options.

Configuring Captcha

To prevent brute force attacks, the login page can be configured to show a captcha widget after a given amount of failed log in attempts.

To configure and use captcha with the login plugin, log in to the console and browse to the node


and specify the following two properties:

+ loginPage
    - use.captcha = true (defaults to false)
    - = n (defaults to 3)

Specifying a negative integer for the latter property causes the system to fall back on the default of 3.

Signin form autocompletion

Browsers can remember previously entered values of the fields of previously visited forms and offer them to the user when they start filling in the form. This may not always be the most secure behaviour. Html offers a feature to tell browsers not to try to automatically complete your form. The login plugin can be configured to leverage that feature and prevent the browser from autocompleting the form.

Log in to the console and again browse to the login plugin configuration node at:


Specify the following property:

+ loginPage
    - signin.form.autocomplete = false (defaults to true)

Remember Me and automatic login

When users log in they can optionally tick the Remember Me check box. If they do, then the next time they visit the CMS page they will be logged in automatically. Only when the user explicitly logs out the Remember me functionality is no longer activated. The Remember me functionality is controlled by setting two cookies: one to remember whether the user ticked the Remember Me checkbox and one to store the passphrase to authenticate against next time the user visits. The maximum age of these cookies can be configured.

Log in to the console and browse the the login plugin configuration. Specify the following two properties:

+ loginPage
    - rememberme.cookie.maxage = nr of seconds (defaults to 1209600: 14 days)
    - hal.cookie.maxage = nr of seconds (defaults to 1209600: 14 days)

Securing the Cookies

The above mentioned cookies can be configured with extra properties for extra security. When the boolean property use.httponly.cookies is set to true then the cookies are decorated with an extra attribute that prevents them from being accessible to client-side scripting. Set the boolean property to ensure that the cookies are only sent over a secure https connection. When the application is accessed over an unsecured http connection the cookies will not be sent.

+ loginPage
    - = true
    - use.httponly.cookies = true 

Restricting access

On top of the regular repository access control rules, the login plugin allows to configure restrictions on who can log in to the application it protects. This is done by two additional single valued string properties:

+  loginPage
     - {application_name}.privileges
     - {application_name}.privileges.path

where {application_name} is the name of the application under consideration (e.g. 'cms' or 'console').

The first property names the privilege that the user must be granted for the jcr node at the repository path specified by the second property.

For instance:

+ loginPage
    - cms.privileges = hippo:author
    - cms.privileges.path = /content/documents

will allow only authors, editors and admins to access the CMS application.


Deploying Hippo CMS

Get up to speed with Hippo CMS quickly. Attend a trainer led developer course in our Amsterdam or Boston office. Learn from the developers building Hippo CMS. 

Go check out our Developer Fundamentals Training >>