Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

ASP.Net Identity 2.0 AccessFailedCount not incrementing

Tags:

c#

authentication

asp.net

asp.net-mvc

asp.net-identity

Last night I was working on a new project using FormsAuthentication and was customizing the ticket to include a security token so if the user logs off in one browser it logs off in all of them. In looking at the latest iteration of ASP.net Identity, it looks like it already has this functionality built in.

I created a new test MVC 5 web application with Individual Accounts enabled. Registration and authentication worked right out of the box.

However, I noticed that failed login attempts were not incrementing the AccessFailedCount field in the AspNetUsers table. And since that wasn't incrementing, I could try as many failed login attempts as I wanted without getting the account locked out.

How do I enable the AccessFailedCount and Lockout functionality on ASP.net Identity 2.0?

like image 300
Sam Avatar asked Jun 13 '14 14:06

Sam

3 Answers

You have to handle this manually. The CheckPassword method calls the PasswordHasher.VerifyHashedPassword method to validate the password, but it does not update access failed count when the provided password does not match the existing one.

Here's an example of an authenticate method that supports lockout:

UserManager<User> userManager = new UserManager<User>(new UserStore());

if (userManager.SupportsUserLockout && userManager.IsLockedOut(userId))
    return;

var user = userManager.FindById(userId);
if (userManager.CheckPassword(user, password))
{
    if (userManager.SupportsUserLockout && userManager.GetAccessFailedCount(userId) > 0)
    {
        userManager.ResetAccessFailedCount(userId);
    }

    // Authenticate user
}
else
{
    if (userManager.SupportsUserLockout && userManager.GetLockoutEnabled(userId))
    {
        userManager.AccessFailed(userId);
    }
}
like image 129
meziantou Avatar answered Sep 22 '22 08:09

meziantou

There is also the PasswordSignInAsync which accepts a "shouldLockout" argument. Setting this to true will auto increment failed login attempts

var result = await SignInManager.PasswordSignInAsync(model.Email, model.Password, model.RememberMe, shouldLockout: true);
like image 31
Fred Johnson Avatar answered Sep 26 '22 08:09

Fred Johnson

For .NET Core 2.1 the shouldLockout is now named lockoutOnFailure

So your login call should look like this to increment failed login attempts: 

var result = await SignInManager.PasswordSignInAsync(loginModel.Email, loginModel.Password, loginModel.RememberMe, lockoutOnFailure: true);

This will also reset the failed login attempts once the user logs in successfully.

like image 33
StefanJM Avatar answered Sep 25 '22 08:09

StefanJM
Sign in to Comment

Related questions

Check Drive Exists(string path)
.net core 'Response.Cookies.Append' not working as some station
How do I determine a public holiday in Sql server?
How good is the C# type inference?
Converting text file from ANSI to ASCII using C#
How to get the list of removable disk in c#?
What is the best practice in case one argument is null?
ASCIIEncoding In Windows Phone 7
Is it possible to extend 2 classes at once?
How to Console.WriteLine from [TestMethod]? [duplicate]
Linq to return string
Finding the number of places after the decimal point of a Double
how to specify the name property using knockout js
C# DateTime always create new object?
How to bind mousedouble click command in mvvm
Create object instance of a class having its name in string variable
How do I detect keyPress while not focused?
Refactoring if-else if - else
Cannot Assign because it is a method group C#?
The entry has already been added

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!