locked
Blocking access resource after 10 unsuccessful login attempts by the user. RRS feed

  • Question

  • User-199788946 posted

    I am a new guy in asp.net. This is my first question in this site.I want to block accessing the resource after 10 unsuccessful login attempts. I want to add limitation to that user that when user wrong attempt for 10 times, I need to list that user in block list. All operation should be done using database in ado.net entity data model. 

    Monday, April 6, 2020 4:33 PM

Answers

  • User475983607 posted

    I have store Count value in database but, Problem is 

    var res = db.APITables.FirstOrDefault(model => model.Username == tb.Username && model.Password == tb.Password && model.HostIP==ip);

    In above line I am just checking username,password,hostIp is correct or not in my database. If user supplied wrong username and password it directly return null ,Count get executed only if supplied username and password incorrect that mean count database field variable never rich to wrong user, where I store Count and how to check Count please help.

    Use a cookie to save the unsuccessful login attempts when the username is not found.  

    Keep in mind that the IP is not reliable and can be used by a group of users.  Restricting by IP is a firewall function not a web site. 

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, April 8, 2020 1:47 PM

All replies

  • User1192570106 posted

    Here is similar thread if you are using membership database, you can see this:

    https://forums.asp.net/t/1841771.aspx?Block+user+for+15+minutes+after+5+login+attempts

    If you are using ASP.NET Core, Refer below link:

    http://www.dotnet-tutorials.net/Article/lockout-user-after-failed-login-attempts-in-asp-net-identity

    Monday, April 6, 2020 6:20 PM
  • User-199788946 posted

    First of all Thank you for your reply, I am not using membership database,also I want to do it in asp.net web api not in .net core. I am just sending json request to server like:

    {
    	"FromDate":"2020-04-04",
    	"ToDate":"2020-04-04",
    	"Username":"ram",
    	"Password":"ram123",
    	"RequestId":"12"
    }

    I want to add incoming ip to block list, if it attempt more than 10 unsuccessful login. I have store these values in database. what is the best approach to do so please help. I have tried maintaining count but I am unsuccessful. </div>

    Monday, April 6, 2020 10:17 PM
  • User475983607 posted

    I want to add incoming ip to block list, if it attempt more than 10 unsuccessful login. I have store these values in database. what is the best approach to do so please help. I have tried maintaining count but I am unsuccessful.

    Can you share all the relevant code that maintains the count?   Can you share any errors?

    Monday, April 6, 2020 10:36 PM
  • User-199788946 posted

    o ya somehow I managed to write the code is this the right approach :

    Count.counter++;
    var ress = _db.APITables.Find(tb.Id);
    if (Count.counter == 3)
    {
    bool BlockStatus = true;
    if (ress!=null)
    {
    ress.BlockStatus = BlockStatus;
    _db.SaveChanges();
    }

    }
    else if (Count.counter == 3 || ress.BlockStatus==true)
    {
    return Request.CreateErrorResponse(HttpStatusCode.Forbidden, "Sorry you are blocked");
    }

    Here, Count.counter is the static variable

    Tuesday, April 7, 2020 5:54 AM
  • User475983607 posted

    Here, Count.counter is the static variable

    A static variable will not work in a web application.  Every user has access to the same variable.  One one user gets to 10 attempts all users are blocked.

    Store the value in a table in the User account table.

    Tuesday, April 7, 2020 10:46 AM
  • User-199788946 posted

    I have store Count value in database but, Problem is 

    var res = db.APITables.FirstOrDefault(model => model.Username == tb.Username && model.Password == tb.Password && model.HostIP==ip);

    In above line I am just checking username,password,hostIp is correct or not in my database. If user supplied wrong username and password it directly return null ,Count get executed only if supplied username and password incorrect that mean count database field variable never rich to wrong user, where I store Count and how to check Count please help.

    Wednesday, April 8, 2020 1:39 PM
  • User475983607 posted

    I have store Count value in database but, Problem is 

    var res = db.APITables.FirstOrDefault(model => model.Username == tb.Username && model.Password == tb.Password && model.HostIP==ip);

    In above line I am just checking username,password,hostIp is correct or not in my database. If user supplied wrong username and password it directly return null ,Count get executed only if supplied username and password incorrect that mean count database field variable never rich to wrong user, where I store Count and how to check Count please help.

    Use a cookie to save the unsuccessful login attempts when the username is not found.  

    Keep in mind that the IP is not reliable and can be used by a group of users.  Restricting by IP is a firewall function not a web site. 

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, April 8, 2020 1:47 PM
  • User-199788946 posted

    Keep in mind that the IP is not reliable and can be used by a group of users.  Restricting by IP is a firewall function not a web site. 

    I want to also check ip from host(client) url and match it to the database store ip. If ip of host is not match with store ip in database i don't allow that host to access resource: Is this not a good idea.I am beginner I am learning I have no proper idea please help and give me proper idea.using  username and password is enough or I have to check Ip also. 

    I have found this code to find Ip of host:

            public string GetClientIp(HttpRequestMessage request = null)
            {
                request = request ?? Request;
    
                if (request.Properties.ContainsKey("MS_HttpContext"))
                {
                    return ((HttpContextWrapper)request.Properties["MS_HttpContext"]).Request.UserHostAddress;
                }
                else if (request.Properties.ContainsKey(RemoteEndpointMessageProperty.Name))
                {
                    RemoteEndpointMessageProperty prop = (RemoteEndpointMessageProperty)request.Properties[RemoteEndpointMessageProperty.Name];
                    return prop.Address;
                }
                else if (HttpContext.Current != null)
                {
                    return HttpContext.Current.Request.UserHostAddress;
                }
                else
                {
                    return null;
                }
            }



     

    Wednesday, April 8, 2020 2:48 PM