Locking out a user in an ASP .Net Custom Membership Provider

Question

I\'ve had to create a custom membership provider for my current ASP .Net project in order to fit in with our database schema, and am having problems configuring it to lockout a

Answer 1

Replicate the conditions that lead to lockout (too many bad login attempts). Because Membership providers make a trip to their backend every time, it is sensible to limit this approach to providers with reasonable number of MaxInvalidPasswordAttempts.

if (0 < Membership.MaxInvalidPasswordAttempts && Membership.MaxInvalidPasswordAttempts < 100)
       {
                for(int i = 0; i <= Membership.MaxInvalidPasswordAttempts; i++)
                {
                    Membership.ValidateUser(userName, "jfdlsjflksjlkfjsdlkfjsdl");
                }
        }

Answer 2

Scott Mitchell has written an excellent series of tutorials on the ASP.NET site. This link includes information on creating a custom provider and discusses the locking logic:

http://www.asp.net/LEARN/security/tutorial-06-cs.aspx

There's also no in-built method to unlock accounts (i.e. you have to do this through database tools if you're using something similar to the SqlMembershipProvider). Scott has also written an article about creating a UI to manage this, which you can find here:

http://www.asp.net/LEARN/security/tutorial-14-vb.aspx

I actually recommend reading the whole series. Scott's an excellent communicator.

I hope this helps.

Answer 3

In your custom membership provider, you should implement the ValidateUser function. There you not only check if the username and password are valid, but you also retrieve the number of invalid password attempts etc from your datastore. If the username/password is valid, reset the password attempt count, otherelse increase the attempt count. The SqlMembershipProvider also stores the LastAttempt datetime, so you cannot bruteforce you way in because you are not allowed to attempt within a certain time frame.

Answer 4

This is something that you'd have to write yourself.

The default database schema has the following columns in the aspnet_Membership table:

IsLockedOut
FailedPasswordAttemptCount
FailedPasswordAttemptWindowStart

The attempt count will be incremented on every failed attempt within the attempt window, and the time of the first failed attempt is stored in the window start column, once FailedPasswordAttemptCount equals the maxInvalidPasswordAttempts from the configuration, the IsLockedOut is set.

As Michiel states, your ValidateUser method will then need to check these values based on the settings in the provider configuration - by default these are:

maxInvalidPasswordAttempts="5"
passwordAttemptWindow="10"

Once the user has had the maximum login attempts, you'll need to ensure that you have set the MembershipUser.IsLockedOut is set from your provider - you can then check that value and behave appropriately - if you are using the default Login controls, this value will probably already be checked for you.