which is the best method to access to webpages_Membership table informations using a SimpleMembershipProvider in MVC 4? I'm trying to implement the account block if he / she input a wrong password for three times ..
Many thanks
Asked
Active
Viewed 6,790 times
2 Answers
7
Using SimpleMembership you would access this information with the following method:
WebSecurity.IsAccountLockedOut(userName, allowedPasswordAttempts, intervalInSeconds)
IsAccountLockedOut returns whether the account is locked or not based on the number of attempts you want to allow and the time since the last failed logon attempt. This is used to stop brute force attempts to crack the password by other machines. You would add this check where you authenticate the user, such as the Account controllers Login method. You could do something like this:
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public ActionResult Login(LoginModel model, string returnUrl)
{
if (ModelState.IsValid &&
!WebSecurity.IsAccountLockedOut(model.UserName, 3, 180) &&
WebSecurity.Login(model.UserName, model.Password, persistCookie: model.RememberMe))
{
return RedirectToLocal(returnUrl);
}
// If we got this far, something failed, redisplay form
ModelState.AddModelError("", "The user name or password provided is incorrect.");
return View(model);
}
You do not want to completely disable the user in this case and allow a valid user to get back in after the interval has passed. This to stop brute force attacks and not people that forgot their password.
The IsConfirmed field is used during registration you want the user to confirm they gave you a valid email address. You would generate and store a ConfirmationToken in the database that you would email to the user and instruct them to click on a link that would take them to a controller/action in your MVC app that would verify the token and set the IsConfirmed field to true.
Kevin Junghans
- 17,475
- 4
- 45
- 62
-
this is quite ok .. but in my purposes I want to disable completly the user and, if I understood correctly, IsAccountLockedOut checks only for an interval of time .. is not better to set the IsConfirmed field to false? – Davide Jan 21 '13 at 14:42
-
See my updated answer which explains more on how to use IsAccountLockedOut and what IsConfirmed is used for. – Kevin Junghans Jan 21 '13 at 16:28
-
Should the call to WebSecurity.IsAccountLockedOut() be before the call to WebSecurity.Login()? You might have a successful login (FormsAuthCookie persisted) but just return to the login page. – Aaron Hoffman Apr 08 '13 at 18:22
-
Aaron Hoffman - After I thought about it more I think you are correct, just because the Login method is more than a logical check, it can actually change the state of the system. Since C# supports short-circuit evaluation it will not even attempt the login if it fails on the IsAccountLockedOut. I will change my example to reflect this. Thanks. – Kevin Junghans Apr 09 '13 at 14:06
1
davide, to completely disable a user, you could create a new role "Disabled" and modify the Login code:
public ActionResult Login(LoginModel model, string returnUrl)
{
string errorMsg = "The user name or password provided is incorrect.";
if (Roles.IsUserInRole(model.UserName, "Disabled"))
{
errorMsg = "Your account has been disabled. Contact webmaster for more info.";
}
else if (ModelState.IsValid &&
!WebSecurity.IsAccountLockedOut(model.UserName, 3, 180) &&
WebSecurity.Login(model.UserName, model.Password, persistCookie: model.RememberMe))
{
return RedirectToLocal(returnUrl);
}
if (!WebSecurity.IsConfirmed(model.UserName))
{
errorMsg = "You have not completed the registration process. "
+ "To complete this process look for the email that provides instructions.";
}
// If we got this far, something failed, redisplay form
ModelState.AddModelError("", errorMsg);
return View(model);
}
Owen Blacker
- 4,117
- 2
- 33
- 70
tired
- 31
- 2