Mike Weston
Reputation: 85
ASP.Net Identity Change Password account lockout does not work
I am using ASP.Net identity. In the changepasswordasync function an invalid old password does not trigger an account lockout, is there anyway to get this to happen? This was raised as low issue by Pen test.
Regards
Mike
Upvotes: 1
Views: 948
Answers (1)
ArslanIqbal
Reputation: 629
You can do this by calling lockout function if user provides wrong old password
int userId = User.Identity.GetUserId();
IdentityResult result = await UserManager.ChangePasswordAsync(userId , model.OldPassword, model.NewPassword);
if (result.Succeeded)
{
userManager.ResetAccessFailedCount(userId);
}
else
{
//you can add logic if the call didn't succeeded because of incorrect old
password and then execute the following line
userManager.AccessFailed(userId);
}
Upvotes: 2
Related Questions
- Asp.net Identity Auto sign out after changing password
- ASP.Net identity gives 'invalid login attempt' when logging in after programmatically changing the password
- reset user lockout by sending a reset account link using asp net identity 2.1
- MVC 5 Identity 2.0 lockout doesn't work
- Web API ChangePasswordAsync controller returning Failed : PasswordMismatch C#
- Failed to change password with UserManager.RemovePassword() and UserManager.AddPassword() in Asp.Net Identity
- ASP.NET Identity Change Password Validation False Negative
- ASP.Net Core SignInManager lockoutOnFailure
- Changing password asp.net identity
- Lockout an user during change password