Validate Answer of Secret Question Against Existing Field Values

I have a scenario where after logging in (and/or during a live session), a logged in user would be redirected to a page where they need to answer an identifying question, pulled randomly from a pool of ID questions, which the user has previously answered/saved on their profile (and are currently hidden from everyone's view, including the user/owner).

Example:
There are 4 questions on their profile which they've answered and saved:
What is the name of your first pet? - text field
What year were you born? - dropdown
What is your hair color? - dropdown
What city were you born in? - text field

One of these questions is pulled randomly and displayed on an independent page. If the user's answer matches the current value stored, then the user is redirected to a hidden "Success Page" which has a secret URL. If the user answers incorrectly (their answer does not match the one in the DB), then they are redirected to a "Fail Page", or a different question.

I'll need to pass on some variable to tell me which page they are originally coming from, in order to decide which "Success Page" or "Fail Page" they are redirected to.

I understand that this is not an effective security measure for logging in, since the user can simply navigate away from that page after logging in. However, in my use case, I am using it to redirect to a hidden URL, and not using it as a security measure for logging in.

These values will live on the user's profile as hidden, however, the user can delete them (reset security questions) and re-enter them if they choose to.

Please advise on the best/cleanest way to do this.

Thanks.

Hi,
That is something that is outside the scope of CB's and CB's add-ons code that you would have to code yourself or ask someone to code for you. I can well imagine that you could code all of that as CB Auto Actions, but doing the coding for you is unfortunately outside the scope of this forum support. But giving you the auto-actions that you could use is in the scope:

You may need 2 actions onAfterLogin, one to memorize the return url, and one to redirect, so they may have to be called by an auto-action of type auto-action with Trigger onAfterLogin

You'll probably need a code-type auto-action to store your return url and a Redirect-type autoaction to go to your custom page, which could be an auto-action by itself (of type Content with your form, that would then post to another auto-action to evaluate the posting result). From there it's up to you to code whatever you need.

That's as far as we can help you in your coding of this custom functionality.

Maybe Kyle will complement my reply, but that's roughly the possible starting point.

What is supposed to be on the hidden URL page that it requires a secret question? There maybe just a better way to present that information to them instead of asking them a question, which will inevitable turn people away from your site.

It's educational material that is presented to them sequentially, with the requirement that their identity (and attention) be verified/validated randomly throughout the process.

It doesn't need to be "redirect driven" necessarily. Another workaround is to have some sort of Javasctipt pop up the questions throughout the process, while on these specific pages, (possibly on a timer being triggered every 15 mins for example), and if they answer correctly they remain on the page, and if they answer incorrectly they are redirected to a fail page.

Maybe something client-side that renders the answers using CB Substitutions into a script, and then checks their answer against it.

Or a single CB Form for each question that pops up in a modal and on submit (onprofileupdate) if new field matches old field then do nothing, if doesn't match, then redirect.

I'll take a closer look at auto-actions. If you think of an easier solution, let me know. Thanks.

Are you trying to prevent account sharing by verifying their identity?

You can try using CB AntiSpam and its Login Sharing protection in CB AntiSpam > Parameters > Login > Sharing. This will block logins if the account was logged in from too many different ip addresses. Next under the Duplicates tab you can enable blocking login from multiple devices at once. Both suggest just logging out the other sessions so as to inconvenience the user the least. This would be a significantly better experience for your users, is automated, and requires nothing on their part.

Actually no, login sharing and the user experience are not really a concern here.

It’s more identity verification and forcing them to look at the material. Forcing students to study and ensuring that they are who they say they are.

Kind of like that scene in Clockwork Orange where they tie the guy up and force his eyelids open.



Any CB features similar to the picture shown?