ASP.Net Core has SignInManager which handles user authentication. One of the methods is <code>PasswordSignInAsync(string username, string password, bool isPersistent, bool lockoutOnFailure)</code>. Setting lockoutOnFailure to true should temporarily lock out the user after a certain number of failed login attempts. Looking at the AspNetUsers table in the database I see the following: <ul> <li>AccessFailedCount increase by 1 for each failed access, when it hits 5 it rolls over to 0.</li> <li>Upon rolling over to 0 LockoutTimeEnd is set to 5 minutes into the future.</li> <li>LockoutEnabled however remains 0 even after rollover, and user can continue attempting to log in.</li> </ul> It looks like the intended functionality is to allow 5 login attempts, then lock out the account for 5 minutes. So my questions are are: <ol> <li>How do I set number of allowed failed logins?</li> <li>How do I set the lockout period?</li> <li>Why doesn't the lockout trigger?</li> </ol>

<blockquote> <ol> <li>How do I set number of allowed failed logins?</li> <li>How do I set the lockout period?</li> </ol> </blockquote> Default project template uses an extension method for configuring identity services <code>AddIdentity<TUser, TRole></code> (in <code>Startup</code> class <code>ConfigureServices</code> method). There is an overload of this method that you can configure <code>IdentityOptions</code>. Instead of <pre class="prettyprint"><code>services.AddIdentity<ApplicationUser, IdentityRole>() .AddEntityFrameworkStores<ApplicationDbContext>() .AddDefaultTokenProviders(); </code></pre> You can use <pre class="prettyprint"><code>var lockoutOptions = new LockoutOptions() { AllowedForNewUsers = true, DefaultLockoutTimeSpan = TimeSpan.FromMinutes(5), MaxFailedAccessAttempts = 5 }; services.AddIdentity<ApplicationUser, IdentityRole>(options => { options.Lockout = lockoutOptions; }) .AddEntityFrameworkStores<ApplicationDbContext>() .AddDefaultTokenProviders(); </code></pre> The above is pointeless because these are the default values of <code>LockoutOptions</code>, but you can changes them as you like.

ASP.Net Core SignInManager lockoutOnFailure

ASP.Net Core has SignInManager which handles user authentication. One of the methods is PasswordSignInAsync(string username, string password, bool isPersistent, bool lockoutOnFailure). Setting lockoutOnFailure to true should temporarily lock out the user after a certain number of failed login attempts.

Looking at the AspNetUsers table in the database I see the following:

AccessFailedCount increase by 1 for each failed access, when it hits 5 it rolls over to 0.
Upon rolling over to 0 LockoutTimeEnd is set to 5 minutes into the future.
LockoutEnabled however remains 0 even after rollover, and user can continue attempting to log in.

It looks like the intended functionality is to allow 5 login attempts, then lock out the account for 5 minutes.

So my questions are are:

How do I set number of allowed failed logins?
How do I set the lockout period?
Why doesn't the lockout trigger?

What is SignInManager ASP.NET Core?

SignInManager is a concrete class which handles the user sign in from the application. The SignInManager is responsible for Authenticating a user, i . e signing in and signing out a user. It issues the authentication cookie to the user.

How do you unlock a user in NET Core identity?

To unlock an account, just call the UnlockUser method and provide an email address. It will find the user based on the email address, set the lockout enabled flag to false and then set the lockout end date to one minute in the past. The result of this method indicates if the change was successful.

Is ASP.NET Core identity secure?

ASP.NET Core provides many tools and libraries to secure ASP.NET Core apps such as built-in identity providers and third-party identity services such as Facebook, Twitter, and LinkedIn.

How do I set number of allowed failed logins?

How do I set the lockout period?

Default project template uses an extension method for configuring identity services AddIdentity<TUser, TRole> (in Startup class ConfigureServices method). There is an overload of this method that you can configure IdentityOptions.

Instead of

services.AddIdentity<ApplicationUser, IdentityRole>()
     .AddEntityFrameworkStores<ApplicationDbContext>()
     .AddDefaultTokenProviders();

You can use

var lockoutOptions = new LockoutOptions()
{
     AllowedForNewUsers = true,
     DefaultLockoutTimeSpan = TimeSpan.FromMinutes(5),
     MaxFailedAccessAttempts = 5
};

services.AddIdentity<ApplicationUser, IdentityRole>(options =>
     {
         options.Lockout = lockoutOptions;
     })
     .AddEntityFrameworkStores<ApplicationDbContext>()
     .AddDefaultTokenProviders();

The above is pointeless because these are the default values of LockoutOptions, but you can changes them as you like.

ASP.Net Core SignInManager lockoutOnFailure

Tags:

asp.net-core

asp.net-identity-3

Tedd Hansen

People also ask

1 Answers

tmg

Recent Activity

Donate For Us

ASP.Net Core SignInManager lockoutOnFailure

Tags:

asp.net-core

asp.net-identity-3

Tedd Hansen

People also ask

1 Answers

tmg

Related questions

Recent Activity

Donate For Us