Locking out a user in an ASP .Net Custom Membership Provider

Question

I've had to create a custom membership provider for my current ASP .Net project in order to fit in with our database schema, and am having problems configuring it to lockout a user if they get their password wrong three times, as is supported by the standard providers.

Is this something I need to implement myself, or should it be supported inherently?

I have no code that specifically deals with it (and none of the interface members seem to deal with it specifically), but if I need to implement it myself, how do I go about informing the user they are locked out? Do I need to raise some sort of exception in ValidateUser?

Solution

Shame I can't mark two answers, the links provided by Dave R give a great in depth look at how membership works, and what Zhaph pointed out was just what I ended up doing, handling the locked out logic in the custom membership provider.

I then handled the error condition by using the Login control's LoginError event and checked in there to see if the user was locked out in order to show the appropriate error message.

Answer 1

Scott Mitchell has written an excellent series of tutorials on the ASP.NET site. This link includes information on creating a custom provider and discusses the locking logic:

http://www.asp.net/LEARN/security/tutorial-06-cs.aspx

There's also no in-built method to unlock accounts (i.e. you have to do this through database tools if you're using something similar to the SqlMembershipProvider). Scott has also written an article about creating a UI to manage this, which you can find here:

http://www.asp.net/LEARN/security/tutorial-14-vb.aspx

I actually recommend reading the whole series. Scott's an excellent communicator.

I hope this helps.