tags:

views:

224

answers:

4
+3  Q: 

Asp.net Membership - Accounts getting locked out

We're using the standard ASP.net membership features that come with asp.net.

Certain accounts in our membership database have a "Locked Out" flag set to true - when/how does this happen?

+2  A: 

After a configurable number of failed logins (maxInvalidPasswordAttempts, default = 5) within a configurable length of time (passwordAttemptWindow, default = 10 minutes), the account will be locked out.

see here for membership related configuration properties

BioBuckyBall  2009-12-09 21:16:54
Is there a place where I can change this setting? Thanks!
stringo0  2009-12-09 21:18:41
It is usually configured in web.config
BioBuckyBall  2009-12-09 21:20:29
+2  A: 

When someone try to login 5 times (or whatever "maxInvalidPasswordAttempts" is set to) with the wrong password the account gets locked out ...

to avoid this in the future change the attribute maxInvalidPasswordAttempts in the web.config

example : 

<membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="15">
<providers>
  <clear />
  <add 
    name="SqlProvider" 
    ....
    maxInvalidPasswordAttempts="the new value here "
  />
</providers>

Yassir  2009-12-09 21:18:17
+1  A: 

These 4 guys did a great job of explaining in depth the asp.net membership controls

 <system.web>
... authentication & authorization settings ...

<membership defaultProvider="CustomizedProvider">
  <providers>
     <add name="CustomizedProvider"
          type="System.Web.Security.SqlMembershipProvider"  
          connectionStringName="MyDB"
          applicationName="MyProject"
          minRequiredPasswordLength="5"
          minRequiredNonalphanumericCharacters="0" />
  </providers>
</membership>

basically add your provider and then set the setting the way you'd like them

jim  2009-12-09 21:21:30
Thanks, the link is bound to be helpful!
stringo0  2009-12-15 00:23:23
+1  A: 

Account locking is a feature of SqlMembershipProvider that provides a safeguard against password guessing.

Looking at this page you can see that the aspnet_Membership table has IsLockedOut, LastLockoutDate, FailedPasswordAttemptCount, FailedPasswordAnswer-AttemptCount. By reviewing this table and those columns you should be able to determin who is having a failed login, when they failed on their login, and how many times they failed.

The actual count for the number of login tries can be sest in the section of the web.config. You can read more about account locking here.

Chris  2009-12-09 21:26:23

related questions

after running aspnet_regsql.exe , do I have to init the db with data? how?
Not using e-mail address in a custom MembershipProvider?
How to pass the current user to a web control declaratively
How do you rename a Role using Membership in .NET?
What encryption algorithm does the .net membership provider use?
Membership.GetUser() & MARS
Web.config editing for Membership Role Authorization
Globalization of Membership exceptions isn't taking place... What to do?
OpenId development while disconnected from Internet
programmatic login with .net membership provider
Addin extra properties to MembershipProvider
ASP.Net Providers from web server in DMZ
ASP.NET PasswordRecovery Control with Localized content
Examples of asp.net mvc and authentication
ASP.NET Membership for high security scenarios?
ASP.NET Forms Authentication With Only UserName
What to use for membership in ASP.NET
How can I wrap a transaction around Membership.CreateUser?
New site creation and security/authentication,- should I use ASP.net Membership Provider?
ASP.NET WSAT (Website Administration Tool) and Custom Membership Providers
How do you manage asp.net SQL membership roles/users in production?
How to access UserId in ASP.NET Membership without using Membership.GetUser() ?
Can I use OpenId with the ASP MembershipProvider?
How do you pass an authenticaticated session between app domains
Class design decision