I'm using the SqlMembershipProvider and have a problem where aspnet_Membership_UpdateUserInfo is being called twice for a single failed logon. This means that a user will be locked out after only two attempts, not the 3 that I have configured.
Unfortunately I can't simply bump the login attempts count to a higher number as the problem only seems to be happening for IE users. Firefox and Chrome don't exibit the same problem.
The config I'm using is:
<membership defaultProvider="AcademyWebProvider" userIsOnlineTimeWindow="3">
<providers>
<remove name="AspNetSqlMembershipProvider" />
<add minRequiredNonalphanumericCharacters="0"
minRequiredPasswordLength="3"
maxInvalidPasswordAttempts="3"
passwordAttemptWindow="15"
applicationName="AcademyPro"
connectionStringName="SqlServer"
enablePasswordReset="true"
requiresQuestionAndAnswer="false"
name="AcademyWebProvider"
type="System.Web.Security.SqlMembershipProvider" />
</providers>
</membership>
UPDATE
Digging around a bit more and looking at the fiddler traces IE7 (IE7 proper, not IE 8 computability mode) and IE8 submit the form twice. I also added onsubmit="alert('Ping!');" to the form tag, the alert box shows twice, so what ever the problem is it's in javascript.