This article covers a Hippo CMS version 7.8. There's an updated version available that covers our most recent release.

Configuring the CMS login page 


The login page of Hippo CMS can be configured with several options. This page discusses how and when to use these options.

Configuring Captcha

To prevent brute force attacks, the login page can be configured to show a captcha widget after a given amount of failed log in attempts.

To configure and use captcha with the login plugin, log in to the console and browse to the node


and specify the following two properties:

+ loginPage
    - use.captcha = true (defaults to false)
    - = n (defaults to 3)

Specifying a negative integer for the latter property causes the system to fall back on the default of 3.

Signin form autocompletion

Browsers can remember previously entered values of the fields of previously visited forms and offer them to the user when they start filling in the form. This may not always be the most secure behaviour. Html offers a feature to tell browsers not to try to automatically complete your form. The login plugin can be configured to leverage that feature and prevent the browser from autocompleting the form.

Log in to the console and again browse to the login plugin configuration node at:


Specify the following property:

+ loginPage
    - signin.form.autocomplete = false (defaults to true)

Securing the Cookies

The above mentioned cookies can be configured with extra properties for extra security. When the boolean property use.httponly.cookies is set to true then the cookies are decorated with an extra attribute that prevents them from being accessible to client-side scripting. Set the boolean property to ensure that the cookies are only sent over a secure https connection. When the application is accessed over an unsecured http connection the cookies will not be sent.

+ loginPage
    - = true
    - use.httponly.cookies = true 

Restricting access

On top of the regular repository access control rules, the login plugin allows to configure restrictions on who can log in to the application it protects. This is done by two additional single valued string properties:


+  loginPage
     - {application_name}.privileges
     - {application_name}.privileges.path

where {application_name} is the name of the application under consideration (e.g. 'cms' or 'console').


The first property names the privilege that the user must be granted for the jcr node at the repository path specified by the second property.

For instance:

+ loginPage
    - cms.privileges = hippo:author
    - cms.privileges.path = /content/documents

will allow only authors, editors and admins to access the CMS application.