tags:

views:

41

answers:

2

Hi,

In my asp.net website, i would like to implement account lock at login page. I am not using provider for that. Also i would like to Auto-Unlock account after configurable time.

As i know microsoft also provide account lock feature with provider, but i have different requirements

1. I am using Oracle database
2. I would not like to store account lock info in database. Because it require administrator involvement.
3. Is there auto-unlock way of doing?

Please help?

+2  A: 

You can use the cookies to store the number of tries and time when lockout started. Then on page load you read from that cookie and if number of tries exceeds specified times set lock. If it is locked and the locking period expired then unlock loging.

After successful login, set number of unsuccessful tries to 0.

TheVillageIdiot
+1  A: 

You could use the singleton pattern to create an object that maintains information betweens requests in the same way a cache or session object does.

With this in mind you you can construct in memory only object you can use to limit repeat requests in your site by maintaining information of each failed request, you can also combine this with timers to remove requests older than a specified time. This then allows you to check the user hasn't exceeded the failed request count, and the timer will auto unlock by automatically removing the old requests.

http://www.dofactory.com/patterns/PatternSingleton.aspx

The singleton will only exist for the life of the application process so if it cycles down it will clear all requests information and therefore all locks - I think in IIS this is like 20 minutes, although deploying also recycles the application.

Mark
Thanks,What you say about CAPTCHA in login page?because user can open multiple session of browser and can supply valid credential.How can we protect our application in that case?
Hemant Kothiyal
You can throttle on the IP address. If you get a number of failed requests on a single ip, regardless of whether from multiple users you could implement lock out all requests from that ip for the period you set.
Mark