I am trying to lockout a user after n number of unsuccessful attempts and this only works if the user has an email id and i am using username instead of an email id to login into my application.In this scenario is there a way i can lockout the user without an email id too ?
Asked
Active
Viewed 129 times
1 Answers
0
You could try the keeping a failure counter in a session variable. You will need to add session state to web.config to use this code though.
In your controller
public int getFailedAttempts()
{
int? failedAttempts = Session["FailedAttempts"] as int?;
if (failedAttempts != null)
{
return (int)failedAttempts;
}
else {
return 0;
}
}
public void handleFailedAttempt()
{
var failedAttempts = getFailedAttempts();
Session["FailedAttempts"] = failedAttempts + 1;
}
In web.config
<system.web>
...
<sessionState mode="InProc" timeout="30" />
</system.web>
Mike Wallace
- 543
- 4
- 15
-
And then they start a new incognito page and try again. – Silvermind Feb 25 '16 at 18:04
-
Could make a failure object that has attempts and an IP and use a db instead of session storage I suppose. But then they'd just try again with a VPN right? – Mike Wallace Feb 25 '16 at 18:07