Confused by Weblogin on Home page.

I’m confused as to how the weblogin 1.1 works for the blog and site in general using evo 1.0.4. I have installed the demo content and was reading the content on the home page and saw this:

Simple Blog. When logged into your site, you’ll be able to create new entries from the front end. This can also be turned into a News publishing or PR publishing system. View example blog

So I created a new account and then tried to login but was met with an error that says:

The security code you entered didn’t validate! Please try to login again!

Now no where in the login section was there any captcha or security code to type in. Also there was no registration button and I had to use the link in the content to actually create an account. Am I missing something or is this not a normal login like those I am accustomed to on other sites like this forum for example?

I see that I can post a comment in the blog section without logging in however.

I also read through a few posts where they mention creating groups, documents, and permissions but that too is a bit confusing as how would I know the new members name etc to assign him/her to a web user group until they actually register? Without a register button this wouldn’t work. Setting up a link similar to the one on the content page is fine but most people are used to seeing a registration button near the login button so would probably never see the link.

Okay I assume I am not explaing myself clearly so I created a directory on my server and uploaded a fresh install of evo 1.0.4 onto it with the default theme and demo content. I created an account with the username tester and password testing so you can try and login to see the error message I keep getting. Hopefully this will explain my confusion.
http://www.grstreamkeepers.com/webdev/newweb/

Works fine for me. Looks like a cookie or SESSION issue in your case. Maybe because you were logged in as a manager user as well at the time? Are you using captcha on your Manager login page?

I logged off as manager refreshed the new web site and tried again with the same results. I am using the captcha on the manager login page. As soon as I quit using the captcha setting located in the configuration tab the login process worked. I am now concerned about security is that a legitimate concern without the captcha? This is the first MODx based site I’ve built where my (non paying) client wants a login/blog/membership feature. Beacause of my poor php/coding skills, normally I just stay with the basic css styled templates.

Actually Captcha isn’t all that secure. There are a lot of automated form rendering scripts out in the wild that can scan them using sophisticated OCR functions. I always add a "dummy" field that gets moved off the screen with CSS, then part of the validation checks to make sure it’s empty and fails the submission if it isn’t. The automated scripts will fill in every field, since there’s no way to tell what fields are required. I haven’t had a spam contact form post since I switched to this method, and I was getting one or two a week with Captcha.

So I should be okay without captcha is what your saying I assume. The technique you give for the dummy field is interesting. Not sure how to set up the validation for it though. Thanks for your help, I’ll keep pluggin along.

This site is for a non profit group that I belong to. I initially used another cms to build their website, but it is too hard for them to understand when adding new pages or editing so they quit doing it along time ago and I decided to remake it with MODx as I find it is easier to edit and add new pages for the basic user with little or no html knowledge.

The point to such a bot-prevention method in a login form is to prevent bots from hammering away at your login form trying a brute-force hack on the principle that enough random (or dictionary-based) attempts will eventually get through. MODx is protected against this anyway since three consecutive failed attempts will get the login blocked for an hour (this can be configured) which will discourage most bots, besides only letting them get in three actual valid attempts an hour.

So use sufficiently "interesting" passwords and it’s not much of a problem anyway. A password of "1234567" will probably get your luggage broken into as well as your planetary defense shield (although nowadays the airport’s HS people just smash or cut open your luggage locks)