Settings - Security & Membership

You can access these settings in the Settings application under the Security & Membership category.


Administrator’s email

Specifies the administrator’s email address. It is used in places where the administrator’s email address cannot be specified in the administration interface or in web part properties (e.g., user account confirmation page).

Send membership reminder (days)

Determines when the system should send e‑mail notifications about Memberships that will soon expire. The value sets how many days before the expiration date reminders should be mailed out.

These emails are only sent for memberships that were assigned with the Send notification flag enabled and for those that were purchased as a product with a limited duration.

Memberships are checked periodically using the Membership reminder scheduled task. The content of the notifications is based on the Membership - Expiration notification e‑mail template.

Deny login interval

Interval in minutes during which kicked users cannot log back in to the site.

Share user accounts on all sites

If enabled, user accounts created on one site will be shared among all the sites running on the installation. If disabled, new accounts will be assigned only to the current site and not the others.

Use site prefix for user names

If enabled, user names only need to be unique for each site, not globally. It is possible to create users with names that are already taken on another site in the system.

When a user registers on the live site or is edited/created on a specific site (i.e. in the Users application), the system internally adds the unique identifier (GUID) of the given site as a prefix to that user’s name.

Do not enable this setting if you wish to have accounts shared across multiple sites.

Warning: Use this setting only if you have your system’s user/site organization planned according to the functionality described above. Reverting back to the default state where user names are globally unique would require a significant amount of effort and editing of user names via custom code or database scripts.


Reserved user names

Sets a list of users names that cannot be selected during registration. Entered user names must be divided by semicolons.

Registration requires email confirmation

Indicates if user registration should require confirmation via email (double opt-in).

Registration confirmation page path

Path to the page that contains the Registration email confirmation web part. The confirmation link in the registration email sent to new users leads to the specified page.

Note: Individual registration web parts (Registration form or Custom registration form) may override this setting if a different path is set in their Email confirmation page property.

Registration requires administrator’s approval

Indicates if an administrator’s approval is needed for a user to get registered.

Delete non-activated user after (days)

When users register but do not activate their account, their account will be deleted after the entered number of days.

Require unique user emails

If checked, users cannot enter an email address during registration if the address is already used by another user’s account.

On-line users

Monitor on-line users

Enables monitoring of on-line users who are currently browsing the website.

Store on-line users in database

If checked, records about on-line users will be stored in the database. This is necessary when running the system on a web farm.

Storing the data in the database also allows the system to provide more detailed information about anonymous users (guests) when using Contact management.

Update on-line users (minutes)

Interval in minutes after which information about on-line users will be updated. When running the system on a web farm, you need to enter the same value which is set for the Sessions remove expired sessions scheduled task (you can read the value in the Scheduled tasks application -> edit Sessions remove expired sessions -> Task interval -> Every: X minutes).


Check page permissions

Indicates if the website should check the user permission settings of pages and apply them. You can configure the permissions of pages in the Pages application on the Properties -> Security tab.

The following values are possible:

  • All pages - permissions will be checked for all pages on the website.
  • No page - permissions will not be checked for any pages.
  • Secured areas - permissions will be checked only for pages that are configured to require authentication.

Website logon page URL

Specifies the URL of the page where users can sign in on the website in order to access its secured areas.

Note: This page is different from the one used to log into the administration interface.

Access denied page URL

URL of the page that should be displayed when a user is not allowed to read a page.


Use SSL for administration interface

Indicates if the pages of the administration interface should automatically use URLs that are secured by the SSL protocol (i.e. with the https URL scheme).

Automatically sign-in user when site changes

If enabled, users will not need to enter their username and password when they switch between edited sites in the administration interface (using the Site drop-down list).

Enable code editing for site administrators

Indicates whether users with the Administrator privilege level are automatically allowed to edit code on the website. If disabled, administrators can still edit code if they have the appropriate permissions assigned: Edit Code for the Design module or Edit SQL Queries for the Reporting module.

The restriction applies to ASCX code of page layouts and transformations (modifying the HTML version of the code is allowed regardless of the setting), and SQL queries, e.g. for objects in the Reporting module.

See Special security permissions.

UI personalization

Enable UI personalization

Indicates if UI personalization should be enabled. If this is the case, users only see those parts of the UI that are allowed for the UI profile assigned to their roles. If disabled, the entire UI is visible for all users.


Default report connection string

Sets the database connection string that the system assigns to newly created reports. Existing reports also inherit the connection string value from this setting by default.

Only users who have the Set connection string permission for the Reporting module can change the connection strings of individual reports.

The system loads the list of connection strings from the <connectionStrings> section of the application’s web.config file. The (default) option represents the CMSConnectionString added by the application’s initial database installer.

You can use reporting connection strings for the following scenarios:

  • Retrieving data from a Separated on-line marketing database
  • Restricting the database-level permissions of reporting queries via a connection string with a limited database user