Locking out a user in an ASP .Net Custom Membership Provider

.net asp.net membership membership-provider lockout
20,158

Solution 1

Scott Mitchell has written an excellent series of tutorials on the ASP.NET site. This link includes information on creating a custom provider and discusses the locking logic:

http://www.asp.net/LEARN/security/tutorial-06-cs.aspx

There's also no in-built method to unlock accounts (i.e. you have to do this through database tools if you're using something similar to the SqlMembershipProvider). Scott has also written an article about creating a UI to manage this, which you can find here:

http://www.asp.net/LEARN/security/tutorial-14-vb.aspx

I actually recommend reading the whole series. Scott's an excellent communicator.

I hope this helps.

Solution 2

This is something that you'd have to write yourself.

The default database schema has the following columns in the aspnet_Membership table:

IsLockedOut
FailedPasswordAttemptCount
FailedPasswordAttemptWindowStart

The attempt count will be incremented on every failed attempt within the attempt window, and the time of the first failed attempt is stored in the window start column, once FailedPasswordAttemptCount equals the maxInvalidPasswordAttempts from the configuration, the IsLockedOut is set.

As Michiel states, your ValidateUser method will then need to check these values based on the settings in the provider configuration - by default these are:

maxInvalidPasswordAttempts="5"
passwordAttemptWindow="10"

Once the user has had the maximum login attempts, you'll need to ensure that you have set the MembershipUser.IsLockedOut is set from your provider - you can then check that value and behave appropriately - if you are using the default Login controls, this value will probably already be checked for you.

Solution 3

Replicate the conditions that lead to lockout (too many bad login attempts). Because Membership providers make a trip to their backend every time, it is sensible to limit this approach to providers with reasonable number of MaxInvalidPasswordAttempts.

if (0 < Membership.MaxInvalidPasswordAttempts && Membership.MaxInvalidPasswordAttempts < 100)
       {
                for(int i = 0; i <= Membership.MaxInvalidPasswordAttempts; i++)
                {
                    Membership.ValidateUser(userName, "jfdlsjflksjlkfjsdlkfjsdl");
                }
        }
Share:
20,158
RSlaughter
Author by

RSlaughter

Updated on January 15, 2020

Comments

  • RSlaughter
    RSlaughter over 4 years

    I've had to create a custom membership provider for my current ASP .Net project in order to fit in with our database schema, and am having problems configuring it to lockout a user if they get their password wrong three times, as is supported by the standard providers.

    Is this something I need to implement myself, or should it be supported inherently?

    I have no code that specifically deals with it (and none of the interface members seem to deal with it specifically), but if I need to implement it myself, how do I go about informing the user they are locked out? Do I need to raise some sort of exception in ValidateUser?

    Solution

    Shame I can't mark two answers, the links provided by Dave R give a great in depth look at how membership works, and what Zhaph pointed out was just what I ended up doing, handling the locked out logic in the custom membership provider.

    I then handled the error condition by using the Login control's LoginError event and checked in there to see if the user was locked out in order to show the appropriate error message.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

"Membership.Provider must be an instance of ExtendedMembershipProvider"
using asp.net membership provider how to check if the user is registered or not?
Admin pages to manage asp.net membership provider & Role management
Is it possible to change the username with the Membership API
Visual Studio Project Backup
Cannot convert from 'string' to 'System.Net.Http.HttpRequestMessage'
Cookieless attribute web.config
What is the return type for an Event in .NET?
Could not load file or assembly 'Microsoft.SqlServer.Types, Version=12.0.0.0, Culture=neutral, PublicKeyToken=myKey' or one of its dependencies.
The name does not exist in the current context