Reputation: 10113
ASP.Net Identity 2.0 AccessFailedCount not incrementing
Last night I was working on a new project using FormsAuthentication and was customizing the ticket to include a security token so if the user logs off in one browser it logs off in all of them. In looking at the latest iteration of ASP.net Identity, it looks like it already has this functionality built in.
I created a new test MVC 5 web application with Individual Accounts enabled. Registration and authentication worked right out of the box.
However, I noticed that failed login attempts were not incrementing the AccessFailedCount field in the AspNetUsers table. And since that wasn't incrementing, I could try as many failed login attempts as I wanted without getting the account locked out.
How do I enable the AccessFailedCount and Lockout functionality on ASP.net Identity 2.0?
Upvotes: 24
Views: 21985
Answers (4)
Reputation: 46
After unsuccessful login attempt , you should use
await UserManager.AccessFailedAsync(user);
This codes increase AccessFailedCount
Upvotes: 0
Reputation: 1614
For .NET Core 2.1 the shouldLockout is now named lockoutOnFailure
So your login call should look like this to increment failed login attempts:
var result = await SignInManager.PasswordSignInAsync(loginModel.Email, loginModel.Password, loginModel.RememberMe, lockoutOnFailure: true);
This will also reset the failed login attempts once the user logs in successfully.
Upvotes: 8
Reputation: 2695
There is also the PasswordSignInAsync which accepts a "shouldLockout" argument. Setting this to true will auto increment failed login attempts
var result = await SignInManager.PasswordSignInAsync(model.Email, model.Password, model.RememberMe, shouldLockout: true);
Upvotes: 18
Reputation: 21347
You have to handle this manually. The CheckPassword method calls the PasswordHasher.VerifyHashedPassword method to validate the password, but it does not update access failed count when the provided password does not match the existing one.
Here's an example of an authenticate method that supports lockout:
UserManager<User> userManager = new UserManager<User>(new UserStore());
if (userManager.SupportsUserLockout && userManager.IsLockedOut(userId))
return;
var user = userManager.FindById(userId);
if (userManager.CheckPassword(user, password))
{
if (userManager.SupportsUserLockout && userManager.GetAccessFailedCount(userId) > 0)
{
userManager.ResetAccessFailedCount(userId);
}
// Authenticate user
}
else
{
if (userManager.SupportsUserLockout && userManager.GetLockoutEnabled(userId))
{
userManager.AccessFailed(userId);
}
}
Upvotes: 36
Related Questions
- ASP.NET Identity not "saving" updated claim
- Identity 2.0 Invalid Login Attempt
- How do I enable the AccessFailedCount and Lockout functionality on ASP.net Identity 2.0?
- ASP.NET MVC 5 Identity 2 PasswordSignInAsync method always returns false
- ASP.net Identity 2.0 not creating a valid authentication when signing in
- .net Core 3 identity 'AccessFailedCount' not incrementing
- User.Identity.Name always null and claims count 0 after PasswordSignInAsync MVC .Net Core 3.0
- ASP.NET Identity not set in login request
- ASP.NET Identity not authorizing properly
- Identity 2.0 Claims not being added to the database