Password Reset and Attempts

Question

User-1314346660 posted

Hello experts,

I have a web forms application that uses Microsoft Identity to manage users and permissions. Its set up as per below:

https://docs.microsoft.com/en-us/aspnet/web-forms/overview/security/create-a-secure-aspnet-web-forms-app-with-user-registration-email-confirmation-and-password-reset

I am trying to implement two additional functions but cannot find a tutorial to help me do it. They are:

1. Add Max login attempts e.g. Account locks after 5 invalid attempts
2. Add functionality to force password reset after set amount of time. This could be a period e.g. 90 days or a push setting created by an admin account

Can anyone point me in the right direction to implement this. I am very grateful for any advice. Thanks in advance.

Billson3000

Answer 1

User475983607 posted

Billson3000

Add Max login attempts e.g. Account locks after 5 invalid attempts

The Identity API you are using already has this feature and the default template adds the configuration in IdentityConfig.cs.  Simply create a new Web Forms project and use the Individual Account section to see the config.

Billson3000

Add functionality to force password reset after set amount of time. This could be a period e.g. 90 days or a push setting created by an admin account

This is code that you must design and write.  I would use a LastPasswordUpdate claim to handle this logic.  Add the claim when the user creates the account.  Update the claim when the user updates the password.  Check the claim when the user logs in and redirect to the update password page if the password expired.  You can also add a column to the user table to hold the last password change DateTime.

Answer 2

User-1314346660 posted

Hello mgebhard,

Thanks for taking the time to reply.

Re MAX Attempts... I have checked the Identity Config. It shows:

            // Configure user lockout defaults
            manager.UserLockoutEnabledByDefault = true;
            manager.DefaultAccountLockoutTimeSpan = TimeSpan.FromMinutes(5);
            manager.MaxFailedAccessAttemptsBeforeLockout = 5;

            manager.EmailService = new EmailService();
            manager.SmsService = new SmsService();
            var dataProtectionProvider = options.DataProtectionProvider;
            if (dataProtectionProvider != null)
            {
                manager.UserTokenProvider = new DataProtectorTokenProvider<ApplicationUser>(dataProtectionProvider.Create("ASP.NET Identity"));
            }
            return manager;

Which is what I thought was happening. Its only when I test this that I have found it isn't triggering a lockout. Any ideas?

Billson3000

Answer 3

User475983607 posted

Did you enable lockout for the user?  

UserManager.SetLockoutEnabled(user.Id, true);

Reference documentation.

https://docs.microsoft.com/en-us/previous-versions/aspnet/mt151687(v%3Dvs.108)

https://docs.microsoft.com/en-us/previous-versions/aspnet/mt151730(v%3Dvs.108)

Answer 4

User-1314346660 posted

No I don't know how to do that. Hence the question on the forum !!! :)