reset user lockout by sending a reset account link using asp net identity 2.1

c# asp.net-mvc-5 asp.net-identity

10,446

Solution 1

I know this is old but it's worth an answer as I've just been wondering the same myself...

The AccessFailedCount doesn't matter - the only thing locking the user out is the LockoutEndDateUtc. If the current UTC datetime is before the LockoutEndDateUtc then you won't be able to gain entry.

It's simple enough to reset though:

await UserManager.SetLockoutEndDateAsync(userId, new DateTimeOffset(DateTime.UtcNow));

You can set the DateTimeOffset to anything you want as long as it's before the current DateTimeUTC, in my example I use DateTime.UtcNow as it gives the added benefit of knowing when the account was unlocked.

When the user eventually logs in again the AccessFailedCount will be reset to 0, so you don't need to worry about resetting that.

Solution 2

I thought I'd add an answer based on two of the comments above, as combined they seem to provide the best solution to this. I have a form in which I show a reCAPTCHA once the user is locked out, and clear the lockout if they submit the correct password along with a valid reCAPTCHA. The method I use to do the reset is below:

private async Task ResetLockoutIfPasswordCorrect(string username, string password)
{
    var user = await _userManager.FindByNameAsync(username);
    if (await _userManager.CheckPasswordAsync(user, password))
    {
        await _userManager.ResetAccessFailedCountAsync(user);
        await _userManager.SetLockoutEndDateAsync(user, null);
    }
}

As I say, I do guard this method with reCAPTCHA.

10,446

Author by

Noxious Reptile

I m an enthusiast who tries to learn something new and likes to move on with the latest technology. I always like to experiment in .Net,Java,python,C++ based technologies and the latest trending tech. My hobbies are hearing (trance,rock,Nu-Metal,electronic) music, playing video games and watching videos . I also practice martial arts.

Updated on July 21, 2022

Comments

Noxious Reptile almost 2 years
I have an ASP MVC project in which I want to send an unlock account lockout link to the user's email after the user gets lockout.I use asp net identity 2.1 in my project. What i could possibly do is to lock the account for a period of 30 minutes using asp identity. After this time the account gets unlocked. I tried to send email to the user which contains a reset link. The link calls a method which has the following code.
```
[AllowAnonymous]
public async Task<ActionResult> UnlockAccount(string userId)
{
    await UserManager.ResetAccessFailedCountAsync(userId);
    return RedirectToAction("Login");
}
```
But after this still my account is locked for the time period of 30 minutes which i setup in IdentityConfig.cs. Is this possible in asp net identity.
philw about 6 years

Or for Core 2.0: await _userManager.SetLockoutEndDateAsync(user, null); Where "user" is: ApplicationUser user = await _userManager.FindByIdAsync(id);
Steve about 4 years

still a good idea to clear the AccessFailedCount just in case the user typed a wrong password on the first try and got locked out again right after resetting password.
Dave about 2 years

Why set lock out end date to today when null will work? If you set it to a date and show the lock out end date in your admin, it will have a date, and may be confusing.
Percy about 2 years

@Dave I explained this in the answer - "it gives the added benefit of knowing when the account was unlocked" - I also stated that is can be set to anything you want - so it's purely there for info.