Sitecore UserName & Password Hardening

All organizations have processes & procedures in place to reduce the surface of vulnerability. One of the way to reduce attacks typically includes having a password policy and Sitecore Experience Platform is no exception to it. The way by which one installs Sitecore and configure has a significant effect on the security of a website. Sitecore has in place a fair amount of documentation related to Security Hardening and Sitecore Security Hardening Guide. Recently I was working on a Request For Proposal (RFP) which had lot of questionnaire related to password policy, I was aware that password policy can be enforced for Sitecore but was not satisfied that I have complete details and specifics to implement the password policy.

This blog post is about a voyage “Sitecore Username & Password Hardening” during which I drilled down the information for various settings and options available in Sitecore related to username and password policy implementations. If you are interested to harden a Sitecore implementation join me on this voyage and keeping reading the blog post further.

There are good number of documents & blogs, see “Nice Reads” section of this post for all such details.

Let’s start with some fundamentals to be aware about,

  1. Sitecore uses .NET security engine and is built on top of .Net Membership Provider
  2. All information related to roles, users, passwords and access is stored into “core” database. Hah! Why am I writing this should this not be known? Well trying to share information and making sure I cover all audiences for the post from including starters, mid-level and experienced Sitecore geeks.
  3. It is possible to replace or extend default configurations by writing a custom provider.

Let’s start with some specifics now,


Jason’s post USING EMAIL ADDRESSES AS YOUR SITECORE USERNAME is almost a clone of Brian’s post Sitecore allow email adress as user name

Rhys Godfrey’s post Sitecore–Changing the Username validation rule is all you have to understand for setting by UserName Validation.

I do not want to bombard duplicated information.


Q. Have you been asked to setup and enforce password policy?

Q. How to configure it for Sitecore?

Q. Where to start?

A. Here’s the answer, as said earlier Sitecore is built on .Net Membership provider start by looking <configuration>/ <system.web>/<membership> section of a web.config file on your Sitecore installation.

Q. What I need to look for?

A. The “sql” provider and the attributes of the provider.

Attributes Value Type
minRequiredPasswordLength int
minRequiredNonalphanumericCharacters int
requiresQuestionAndAnswer bool
requiresUniqueEmail bool
maxInvalidPasswordAttempts int
 passwordAttemptWindow int
enablePasswordRetrieval bool
passwordFormat string
passwordStrengthRegularExpression string


  • minRequiredPasswordLength : The attribute name itself is self-explanatory, it allows to specific the minimum number of character a password should have. The default value is 1 and of-course it cannot be 0 otherwise you will see below error,

1) minRequiredPasswordLength

What happens when some tries to setup password where length is less than minimum required?

Sitecore displays message and makes you aware of possible reasons,


  • minRequiredNonalphanumericCharacters: Specify minimum number of non-alphanumeric characters a password must contain.
  • requiresQuestionAndAnswer: Sitecore do not support this attribute and setting it to true will not allow for creation of a new user.

3) requiresQuestionAndAnswer

  • requiresUniqueEmail : Validates if there is already another user with same email address or not. If found New User will not be created and a message will be displayed.

4) requiresUniqueEmail

  • maxInvalidPasswordAttempts: User will be locked out after sur-passing the number of times an incorrect password is specified for login to Sitecore.

Sitecore login page do not specifically mentions about the user being locked out.


The information for a “Locked Out” user is available in User Manager,

locked out

  • passwordAttemptWindow

The PasswordAttemptWindow property works in conjunction with the MaxInvalidPasswordAttempts property to help guard against an unwanted source guessing the password or password answer of a membership user through repeated attempts. When a user attempts to log in with, change, or reset his or her password, only a certain number of consecutive attempts are allowed within a specified time window. The length of this time window is specified in the PasswordAttemptWindow property, which identifies the number of minutes allowed between invalid attempts.

If the number of consecutive failed attempts that a user makes to reset his or her password equals the value stored in the MaxInvalidPasswordAttempts property, and the time elapsed since the last invalid attempt is less than the number of minutes specified in the PasswordAttemptWindow property, then the membership user is locked out. The user is locked out by setting the IsLockedOut property to true until the user is unlocked by a call to the UnlockUser method.

If the interval between the current failed attempt and the last failed attempt is greater than the PasswordAttemptWindow property setting, the current invalid attempt is counted as the first. If a valid password answer is supplied before the maximum number of allowed invalid attempts is reached, the count of invalid password-answer attempts is set to 0 (zero). If a valid password is supplied before the maximum number of allowed invalid attempts is reached, the count of invalid password attempts and the count of invalid password-answer attempts are set to 0 (zero).

So for example if the values set for the attributes are maxInvalidPasswordAttempts=”5″ passwordAttemptWindow=”1”. A user will be locked out after he makes 5 unsuccessful attempts. If the user has made less 4 unsuccessful attempts and then he/she tries after “passwordAttemptWindow” (in our example 1 minute) the user will not be locked out as the attempt would have been set to 0 counter.

  • enablePasswordRetrieval
  • This attribute holds a value indicating whether the current membership provider is configured to allow users to retrieve their password. Default value is false and if you turn it on you might see below error as this attribute works in conjunction with passwordFormat.
  • enablePasswordRetrieval
  • passwordFormat
  • This attribute describes the encryption format for storing passwords for users. The values can be,
    Attribute Value Description
    Clear Not secure, do not use. Passwords are not encrypted.
    Encrypted Not secure, do not use. Passwords are encrypted using the encryption settings determined by the machineKey Element (ASP.NET Settings Schema) element configuration.
    Hashed Passwords are encrypted one-way using the SHA1 hashing algorithm.

    Hashed is the default one!

    How does it looks in Membership database (MS SQL) when these formats are changed?

    Below image is for “Clear” format

  • Clear
  • Below image is for “Encrypted” format
  • Encrypted
  • passwordStrengthRegularExpression
  • The PasswordStrengthRegularExpression property gets the regular expression used to evaluate password complexity from the provider specified in the Provider property. This is one of the most important attribute that would allow to implement strict password policy and set various rules related to passwords like,
    • Is greater than seven characters.
    • Contains at least one digit.
    • Contains at least one special (non-alphanumeric) character.

    All the above attributes are considered while a user is being setup into Sitecore from User Manager. Sitecore Login page ignores these attributes and just validates if the username and password is correct which make sense as otherwise consider a case that users were already setup and later on password policy was enforced to have at least one non-aplhanumeric character. Such users will not be able to login even if their password matches to whatever it’s is stored in database.

    I collected information related to sql provider from Membership Class and if you are looking for more information here is the place where you should watch out for.

    Nice Reads

A/B testing with Sitecore Email Experience Manager (EXM)

How to do A/B testing with email campaigns in Sitecore?

A/B testing  any email campaign is the best way to ensure that you are giving customers the information they want to see. As you create email campaigns, you are probably placing the content and messages layout based on the assumptions that you feel is appealing to the customer. However, your assumptions might not be accurate, and your recipients might not respond to your campaign in the way you expect them to. A/B testing allows you to create a couple of variations of the similar message so that you can send it to a small group of people first and see how they interact with the message and which one gains more popularity before picking the final message to be sent to your entire email base.

Sitecore Email Experience Manager (EXM) guides through the process of A/B testing but please consider the following factors before you start A/B testing:

  • Decide on the number of recipients to be included in the email campaigns (always include a small pool of recipients in the test to get a reliable result)
  • Confirm on which part of the messages needs to be tested for e.g. either the subject line or any components in the content area, text, links, images etc.
  • Decide on the number of variants to be included in the A/B test. Always consider the number of recipients proportional to the number of variants.
  • Selection of the message variant winner can be either manual or automatic

When you want to run an A/B test, you need to create variants of the original message campaign:

To create a new variant of a message:

  1. Open the message for which the A/B test needs to be performed.
  2. You can add a new variant or duplicate the original variant and all its content also modify it.
    • To add a new variant for the message, go to the message tab, click Add Variant img as per the screen-grab:


    • This creates a new message variant based on the same template as the original message but no content will be replicated.


    • If we need to duplicate the original message variant then click the arrow button next to quick test tab and select the “Duplicate this variant” option. This option can be chosen if you want to test minor differences between variants such as subject line, name of a button or image.


    • Message variants are displayed just below the tabs and you can easily toggle between the variants.


    • Please note that you can create as many variants of the message, but when you add more variants you need a larger pool of recipients for the test results to be clear and reliable. Hence it’s recommended to test against maximum of two or three variants.
  3. Make the necessary changes to the new message variant. Once done with the changes to all the variants click Save.

Start an A/B test:

Next go to the Delivery tab of the relevant message, select the variants which you want to be included in the A/B test. For this example here, the variants A and B are selected.


Following options are seen under the Delivery tab:

Size of the test: From the drop down menu, select the percentage of recipients that needs to be included in this test. This set of recipients will be randomly generated from the full list of recipients.

  1. Select Winner: There are two options by which you can specify how the winner can be chosen.
    • Automatic: By choosing this option, the system selects the winning variant based on either best value per visit or highest open rate. Also here you need to specify how long you want the test to run before the winner is selected.
      • If you select “Best value per visit” the winning variant is based on the one that generates the most value on the website per visitor.
      • If you select the “Highest open rate” the winning variant is the one that was opened the message most often.
    • Manual: This option allows you to review the reports of the A/B test and select the winner based on your own criteria.
  2. Schedule Delivery:
    It lists down the following options:

    • Send message now: It starts the A/B test immediately.
    • Schedule message delivery: It schedules the delivery of the A/B test message for a later time. Here you can specify the date and time to start the A/B test.
    • Schedule a recurring delivery: This option allows to send the A/B test message recurrently at a certain interval, date and time.
  3. Notification: Clicking the Notification check box allows you to send a notification as shown below to the specified email address regarding the completion of A/B test.


  4. Multi-language: Clicking the More option, gives the Multi-language option. It allows you to send the message to the recipients’ preferred language.

Once done with selecting the setting under the Delivery tab, click on Start A/B test button at the bottom (Schedule test button in case of scheduled A/B test)

Clicking on Start A/B test button gives the below screen which confirms whether the A/B test needs to be sent to all the included recipients.


Depending on the option chosen as a method for winner selection (Manual/Automatic), the winning variant get selected.

If the winner is to be selected automatically then after the specified time has passed the EXM sends out the winning variant automatically to rest of the recipients in the recipients list.

Please note that wining message will not be sent to any of the recipients that were included in the A/B test.

If the winner needs to be selected manually then review the A/B test reports and select the variant which is best to be sent out. For the manual option each variant is listed with current achieved statistics:

  • Open rate: This displays the percentage of recipients that have opened the message.
  • Click rate: This is percentage of recipients who have clicked the link in the message.
  • Value: It is the engagement value points generated after the recipients have opened the message.

Based on the results for open rate, click rate and value one can decide which variant will be the best and then click ‘Choose as winner’ option. For e.g. here Variant A has been selected as the winner would give pop up dialog box to confirm.


This is will then send out the winning message to all the rest of recipients. Below is screen grab of the sample email which the recipients will receive.

img_14.jpgIf you need more detailed information on the A/B test results, click the Reports tab which details about the recipient behavior and message performance.


Query Sitecore xDB MongoDatabases via RoboMongo Part 3

In my previous two blog post Query Sitecore xDB MongoDatabases Part 1, I shared information about configuring RoboMongo for making it to understand CSUUID and the second post Query Sitecore xDB MongoDatabases Part 2 informing about executing queries from Mongo Shell. This post would be the last in the series where I would share queries that would be handy to be executed from RoboMongo. One would wonder as to why mentioning queries if already there is a blog post out there for Mongo Shell. There are few differences in the syntax for RoboMongo and Mongo Shell and hence this post.


The differences that stands out for queries for Mongo Shell vs RoboMongo are,

  • Instead of referring to the collection name COLLECTION_NAME.find() as compared to Mongo Shell, RoboMongo uses getCollection method.
  • GUIDS would have to be enclosed in the call for CSUUID for e.g CSUUID(“7801dccd-6d8c-4c6e-8327-f66a7c773698”)


  • Similarity is both Mongo Shell and RoboMongo are case sensitive so .find({}) and .Find({}) are interpreted differently where former is correct to search for a record and the later would result in an error. Case sensitivity holds true for fields names too so finding a record for “ContactID” would get you results but not for “contactid”
  • find, and, or, sort and limit syntax is similar for Mongo Shell and RoboMongo.
  • Fields hierarchy separated by “.”


Query for GUIDS
 db.getCollection('Contacts').find({"_id" : CSUUID("7801dccd-6d8c-4c6e-8327-f66a7c773698")})


Query for data without GUIDS. Fields hierarchy separated by “.”

 db.getCollection('Contacts').find({"System.VisitCount" : 6})


Note: _id from Contacts collections maps back to ContactId in Interactions collection

db.getCollection('Interactions').find({"ContactId" : CSUUID("7801dccd-6d8c-4c6e-8327-f66a7c773698")})








--For descending order.
db.getCollection('Interactions').find({"ContactId" : CSUUID("7801dccd-6d8c-4c6e-8327-f66a7c773698")}).sort({"SaveDateTime":-1})
--For ascending order.
db.getCollection('Interactions').find({"ContactId" : CSUUID("7801dccd-6d8c-4c6e-8327-f66a7c773698")}).sort({"SaveDateTime":1})


db.getCollection('Interactions').find({"ContactId" : CSUUID("7801dccd-6d8c-4c6e-8327-f66a7c773698")}).sort({"SaveDateTime":-1}).limit(3) can be used for fetching top 3 records.

Sitecore PXM 8.0: Add Vulgar Fraction Support


Sitecore Print Experience Manager (PXM) is great; you can create dazzling printable documents that reuse your existing Sitecore content. You can enable your designers to add a personal touch to each document, or configure automation to allow document creation on the fly.

One of the primary components of PXM is its InDesign Connector plugin (IDC). It facilitates communication between Sitecore PXM and InDesign, allowing a designer to:

  • add Sitecore content to an existing InDesign document
  • create and update PXM Projects, which are a Sitecore representation of an InDesign document
  • manipulate master documents, which are essentially InDesign templates
  • save content changes directly into Sitecore items

“Vulgar” Fractions

Vulgar fractions are simply fractions that are “non-standard.” Examples of standard fractions are below. These are the ones Sitecore PXM supports out-of-the-box:

  • &frac14; – ¼
  • &frac12; – ½
  • &frac34; – ¾

There are a whole host of others, however, that can be added. Some include:

  • &frac18; – ⅛
  • &frac35; – ⅗
  • &frac56; – ⅚

How To Add Support for the Vulgar Fractions to PXM

  1. Open Website\Print Studio\Data\special.xml – this is the file that is used to map an HTML code (e.g. &frac18;) to the corresponding UTF-8 character value (e.g. 8539).
  2. If you want to keep your file (roughly) in order by index, scroll down to the entry with index=”8501″.
  3. Insert the following elements:
     <codeposition index="8528" entity="frac17"/>
     <codeposition index="8529" entity="frac19"/>
     <codeposition index="8530" entity="frac110"/>
     <codeposition index="8531" entity="frac13"/>
     <codeposition index="8532" entity="frac23"/>
     <codeposition index="8533" entity="frac15"/>
     <codeposition index="8534" entity="frac25"/>
     <codeposition index="8535" entity="frac35"/>
     <codeposition index="8536" entity="frac45"/>
     <codeposition index="8537" entity="frac16"/>
     <codeposition index="8538" entity="frac56"/>
     <codeposition index="8539" entity="frac18"/>
     <codeposition index="8540" entity="frac38"/>
     <codeposition index="8541" entity="frac58"/>
     <codeposition index="8542" entity="frac78"/>
  4. Recycle the Sitecore PXM AppPool.


If you're curious, this configuration is used by the Sitecore.PrintStudio.PublishingEngine.Text.Parsers.Html.HtmlEntityHelper to map between the HTML code  (e.g. &frac18;) to the corresponding UTF-8 character value (e.g. 8539).

Sitecore Email Experience Manager – Installation & Configuration

Let’s get Sitecore Email Experience Manager(EXM) to work. By work I mean let’s install, configure and send some emails from EXM. When I landed on this territory of Sitecore ecosystem I had no idea what it all takes to get EXM working but finally playing with around for few hours I got a hold of it. So, if you are looking to start with EXM with no background knowledge of how to install & configure it this blog post would help you get started.


Latest version of Email Experience Manager can be downloaded from EXM is bundled up as a Sitecore package which can be installed on any Sitecore instance using Installation Wizard from Sitecore. Once the zip is downloaded point to note here is it is not a Sitecore package, the file name too has a disclaimer attached mentioning (not sc package). It contains many other packages too.

 Email Experience Manager Package


EXM Installation guide has all the details that are required to install EXM. Here I am going to mention an abstract of what is available in the guide. As a prerequisite before installing EXM module two steps needs to be completed,

1) Add two empty connection strings with the names master and exm.web. For example:

<add name="exm.master" connectionString="" />

<add name="exm.web" connectionString="" />

2) Add the two connection strings CryptographicKey and EXM.AuthenticationKey. The keys must be represented in hexadecimal format by 64 characters, where you can use the symbols 0-9 and A-F. For example:

<add name="EXM.CryptographicKey" connectionString= "E040C938FC9E4EBC3E93330B0F7837F284207B8180DB64CB5B6ABEB1AFBF6F5B" />


<add name="EXM.AuthenticationKey" connectionString= "9D80B4E56AEE694058567BD89C936FB88F2DB1272A4E88F419B6501919E0BB25" />

Installation guide does mentions a note that should not be ignored,


For security reasons, do not use the example key provided above.

How to generate these keys? Well I used Random.Org.

EXM Keys

EXM Keys 1

Copy the string generated in some text editor, remove all the white spaces and update connectionString value for both EXM.CryptographicKey and EXM.AuthenticationKey. As an example my string now looked like

<add name="EXM.CryptographicKey" connectionString="1acda6a3dd6178045eb13b28e4c5dac2cde2339ded292205743fc495d5edba84" />

<add name="EXM.AuthenticationKey" connectionString="ceb73b557b29f685d4b0ef6b2baeaba78ef539a9903d00adb9ad3783d60d4c7a" />

Let’s swing back to some action now! EXM installation is pretty simple and works like a charm as any other Sitecore package works. Install Email Experience Manager 3.4.1 rev. using Installation Wizard.

Installation will also dump EXM SQL database files so to complete the installation, move the following database files to the /Databases folder and attach them to a SQL Server instance.

o Sitecore.Exm.ldf

o Sitecore.Exm.mdf

o Sitecore.Exm_Web.ldf

o Sitecore.Exm_Web.mdf

I was eager to know what are the visual changes that were made to the content tree after the installation. Hope you too will be looking out for it, Are you?

After successful installation, the first visual change you will notice is on Launchpad which now have Email Experience Manager link under the Marketing Applications.

EXM Launchpad

Content Tree will have a new node “/sitecore/content/Email Campaign” with Message Types and Messages. The module is installed at “/sitecore/system/Modules/E-mail Campaign Manager”

EXM Tree


There are few configuration changes that needs to happen before we can start the actual usage of EXM and send out some test emails.

1) Update connectionstrings.config file to have below exm.master and exm.web connection strings. As an example,

<add name="exm.master" connectionString="user id=user;password=password;Data Source=(server);Database=Sitecore_EXM" />

<add name="exm.web" connectionString="user id=user;password=password;Data Source=(server);Database=Sitecore_EXM.WEB"/>

2) In the /App_Config/Include/Sitecore.Analytics.Tracking.config file, ensure the value of the ClusterName setting is set to your instance host name. For example

<setting name="Analytics.ClusterName" value="sc82up2exmplay"/>

3) Lastly setup the message transfer agent. EXM has made two options available for setting up an agent based on client’s need.

  1. Sitecore Email Cloud
  2. Custom SMTP

Sitecore has already provided “The Sitecore Email Cloud compared to the custom SMTP” compassion that will help you to make a decision.

As a playground, it’s better to use Custom SMTP which will leave out licensing issues and subscription to App Centre. On a production environment, you might of course want to configure Sitecore Email Cloud.

Configuring EXM for Custom SMTP

To start using the Custom SMTP:

1) In the Website\App_Config\Include\EmailExperiencefolder, add the suffix .disabled to the end of the following file names:

  • EDS.Providers.Sparkpost.config
  • EDS.Providers.Sparkpost.Sync.config

2) In the Website\App_Config\Include\EmailExperiencefolder, remove the suffix .disabled from the following file names:

  • EDS.Providers.CustomSmtp.config.disabled
  • EDS.Providers.CustomSmtp.Sync.config.disabled

3) Update pop3Settings in EDS.Providers.CustomSmtp.config

4) Update smtpSettings in Sitecore.EDS.Providers.CustomSmtp.Sync.config

Making life better for a developer I have created xml patch files, ready for use that can be dumped into Sitecore instance at path Website\App_Config\Include\zzz

I used Gmail SMTP configuration to send out emails hence these files have all the details related to Gmail Pop3 and SMTP except username and password.

Lastly you might want to put on verbose logging to troubleshoot EXM issues if any faced after installation and while sending emails. To enable it update below setting to true in file Website\App_Config\Include\EmailExperience\Sitecore.ExM.Framework.config

<setting name="EXM.Debug" value="true" />

EXM Now Do Some Work!

Opening Email Experience Manager from Launchpad will take you to below screen where there is not data yet to report.

EXM Report

1) Update Default settings, more information can be found at The EXM default settings

EXM Default Settings

2) Create an email campaign. As can be seen from screen shot there are two types of it. For simplicity, I went ahead creating a Regular email campaign. Looking for more information see Types of email campaigns.

EXM Email Types

EXM has some inbuilt template that can be used while creating a campaign.

EXM default templates

I selected “Modern” as my campaign’s template. Are you wondering how do I get it? It is available in the EXM package as “Email Experience Manager Sample Newsletter 3.4.1 rev.” hence installing this Sitecore package will get a new template into EXM.

EXM templates

3) Creating a campaign is a five-step process. First one is to specify General information about the campaign.

EXM General

EXM reports From Email field to be mandatory if it is not specified

EXM Mandatory Fields

4) Select Recipients, in order to create a list of recipients check Creating A Contact List section of this blog post

EXM Recipients

5) Message Details

EXM Message Details

6) Review: Before sending out actual emails we can review the email by sending it out to our self

EXM Review

I placed myself as the reviewer and was able to get an email as below,

EXM Inbox

7) Delivery: Final step for creating an email campaign. Hitting Send Message starts sending out emails and keeps posted about the activities.

EXM Delivery

Moving back to dashboard now will have has some data to be reported

EXM Dashboard

Creating a Contact List

1) Open List Manager for Sitecore Launchpad

List Manager

2) Hit Create, different options are available to make it quick and easy for me I used Empty Contact List.

List Manager Create

3) Enter information related to Contact List and Hit Save

List Manager Save

4) Click on Contact Drop Down and click on Create and add new contact

List Manager Contact Dropdown

5) Enter Email address, First name and Last name values and Save it.

New Contact

6) Few warnings appears as contact is being created and indexed. Have patience I understand the eagerness to send out emails from EXM.

Contact List Index

7) On refreshing the page added contact will appear on the list

Contact Added

Tips for Troubleshooting Email Sending

1) EXM records all activities in two log files, so checkout for any errors into these log files.

  • Eds.log
  • Exm.log

2) Gmail blocks signing in from unsecure apps which it did for me too. Turning “On” Allow less Secure App setting will allow EXM to send email message vis Gmail SMTP. I received and email from Gmail stating they have blocked access for an unsecure app.

Google Unsecure

Enable App

Other way to enable this setting in Gmail is to,

  • Login into Gmail
  • Go to settings -> Account and Import
  • Click on Other Google Account Settings

Other Account Settings

  • Under Sign-in & Security click Connected apps & sites

& Security

  • Enable Allow less secure apps. You may want to turn this setting off once playing around with EXM is completed.

Enable APP Other

Finally EXM is done and dusted. There is more to learn on EXM but whatever is noted down in the blog post helped me get started.

Sitecore Query XPath for Finding all Fields with Field Fallback Disabled


The query below returns all fields on your templates that have the field Enable field level fallback disabled. This can be useful if you are creating a multi-lingual site and want to turn field fallback on for the fields on your data templates, but aren’t sure for which it’s already been done.

/sitecore/templates/User Defined//*[@@templatename='Template field' and @Enable Shared Language Fallback!='1']

How Does it Work?

Let’s break down the components of the query:

/sitecore/templates/User Defined//*[@@templatename='Template field' and @Enable Shared Language Fallback!='1']

Start at the root of the user-defined templates. This should be adjusted if you’re creating your templates elsewhere. (In a Habitat module, for example.)

/sitecore/templates/User Defined//*[@@templatename='Template field' and @Enable Shared Language Fallback!='1']

Look at all descendants (recursively check all children).

/sitecore/templates/User Defined//*[@@templatename='Template field' and @Enable Shared Language Fallback!='1']

Only return items of template Template field whose Enable Shared Language Fallback checkbox is not checked (this can include an empty value or 0).

** Note that the Item Name of the Enable Shared Language Fallback field is used here; the name of the field you see when editing a field in the content editor will be its title: Enable field level fallback.

Issues or suggestions? Let me know with a comment.

Query Sitecore xDB MongoDatabases Part 2

Let’s query Mongo Database and fire some queries on collections to see what all Sitecore stores in the collections. We will also try to learn the syntax of mongo queries something similar that we use to do in our academic’s days trying to remember SQL queries as

create table tablename


select * from tablename where fieldname=value orderby fieldname.

This post is a continuation of my previous blog post Query Sitecore xDB MongoDatabases Part 1 where I shared information about how to set up RoboMongo so that it can understand GUID. Here I would be sharing few queries that can be executed from mongo shell but nothing about executing queries from RoboMongo, well this allows me to write a 3rd post in the series where I will show how to query mongo db via RoboMongo.

A point worth noting is Mongo is case sensitive so Find() and find() are different and the former will throw an error saying it is not a function.

Of course, the mongo shell needs to be running from where one can query mongo databases. So how do I run mongo shell?

  1. Open command prompt and change the directory to /mongo/bin
  2. Execute “mongo” and you will be connected to test db.
  3. Execute “use admin”. Mongo shell will switch database to admin and display message “switched to db admin”. “admin” is the database where all information related to security is stored.
  4. Execute db.auth(“username”,”password”) command. Once successfully authenticated mongo shell will display “1”
  5. Now for connecting to the desired mongo db execute “use databasename” statement for e.g use sc82up1play_analytics


If authentication is not enabled on mongo instance you can skip #3 and #4 steps. Why would one leave a mongo instance vulnerable and be hacked so as a best practice authentication, should always be enabled and if you want to learn how to enable it follow below links,

Let’s start! We now have enough background


To query data from MongoDB collection, you need to use MongoDB’s find() method. It would list all the records from a collection and is equivalent to SELECT statement in SQL.

Syntax of find() method is


For listing all records from Contacts or Interactions collections of sitecore_analytics database you will fire up,

  • db.Contacts.find()
  • db.Interactions.find()

For getting a record to match a field value syntax would be




if the fields are nested we use dot notation to separate out top-level fields.



db.Contacts.find({“System.VisitCount”:”5″}) where value of “VisitCount” is 5 and it falls under a top level field “System”

db.Interactions.find({“_t”:”VisitData”} ) is an example of top level field.

and in MongoDB

Syntax for and is,

db.collection.find({$and: [{key1: value1}, {key2:value2}]})

Key refers to as fieldname and value is what you would have the record for.




or in MongoDB

Syntax for or is,

db.collection.find({$or: [{key1: value1}, {key2:value2}]})


db.Contacts.find({$or:[{“System. Value “:5},{“System.Value”:10}]})


Syntax for sort() is,


To specify sorting order 1 and -1 are used. 1 is used for ascending order while -1 is used for descending order. If the sorting preference is not specified, then sort() method will display the documents in ascending order. sort() is equivalent to OrderBy in SQL.






If we want to find out the latest record in Interactions collection there are two fields “StartDateTime” and “SaveDateTime” which can be queried,




As the name says limit() can be used to limit the number of records to be displayed on mongo shell

Syntax for limit() is


sort() and limit() can be used to match TOP statement in SQL.








Here‘s the end of the post and all I have to share on Mongo for now. I will soon be writing another post to talk on the above basic mongo queries in RoboMongo.