Using the Auto Login feature

When displaying Mango dashboards on a public kiosk it may be desirable to automatically login a user. Since version 3.1.8 of the UI module there are three options for supplying the auto-login credentials (in order of precedence):

1. Url parameters
2. Local storage/cookies (this used to be the only option)
3. From the UI settings which are stored in the REST API JSON store

Important warning

Never use admin credentials for auto-login, always use a view-only/restricted user. The password will be stored/and or transmitted in plain text. When using the UI settings, the credentials will be publicly accessible from the REST API!

Url parameters

You can supply auto-login credentials using the autoLoginUsername and autoLoginPassword url/query parameters. e.g. https://mymangodomain.com/ui/home?autoLoginUsername=publicuser&autoLoginPassword=publicpassword

There is also a parameter which will store the credentials from the URL into the local storage/cookies - autoLoginStoreCredentials. This ensures that if the user navigates away and comes back to Mango the credentials are still available. e.g. https://mymangodomain.com/ui/home?autoLoginUsername=publicuser&autoLoginPassword=publicpassword&autoLoginStoreCredentials

autoLoginDeleteCredentials can be used to delete these credentials in the event that you no longer want users to be auto-logged in.

Local storage/cookies

You can store the credentials in the browser's local storage/cookies via the "Auto-login (local)" page under "Administration", or via the url parameters as explained above. These credentials must be added on a per machine/browser basis.

UI settings/JSON store

You can store auto-login credentials for all clients on the "UI settings" page under "Administration". Any client/browser which connects to the Mango instance will use these credentials (provided they are not logged in via one of the previous methods).

Security considerations

• Never use admin credentials for auto-login. Always create a dedicated view-only user with minimal permissions.
• URL parameters transmit the password in plain text — use HTTPS in production.
• UI settings credentials are publicly accessible via the REST API JSON store. Only use this method on trusted networks or for non-sensitive dashboards.
• Consider using rate limiting to protect auto-login endpoints from abuse.

Related Pages

• Users and Roles — Create dedicated view-only users for auto-login
• Auto Rotating Pages — Tutorial on building auto-rotating kiosk displays
• Configuration File — Configure auto-login settings in mango.properties