MVC4 Simple Membership password handling

Question

I'm using the SimpleMembershipProvider in my MVC4 application. It seems that things like enforcing password complexity, a maximum number of login attempts and the like are not built in to this provider like they were in the providers available in earlier version of the framework. Is there any built in way to handle these things with SimpleMembership or do I have to roll my own.

Also, what hashing algorithm does the SimpleMemberhip provider use and should I be worried that it doesn't seem to be using a salt (i.e. the salt column is empty in my webpage_membership table)

David · Accepted Answer

I've not yet found a password complexity enforcement, I'm new to MVC myself. But there is an override for the Login method of SimpleMembership that specifies a maximum number of failed attempts and a lockout period (in seconds). Here's an example of my login POST controller action which will lock the account after 3 attempts:

public ActionResult Login(LoginModel model, string returnUrl)
    {
        if (ModelState.IsValid)
        {
            if (WebSecurity.IsAccountLockedOut(model.UserName, 3, 300))
            {
                ModelState.AddModelError("", "Your account has been locked due to excessive log in failures. Please try again in 5 minutes.");
                return View(model);
            }
            else if (WebSecurity.Login(model.UserName, model.Password, persistCookie: model.RememberMe))
            {
                return RedirectToLocal(returnUrl);
            }
        }

        // If we got this far, something failed, redisplay form
        ModelState.AddModelError("", "The user name or password provided is incorrect.");
        return View(model);
    }

MVC4 Simple Membership password handling

Answers (2)

Related Questions