locked
Password Reset and Attempts RRS feed

All replies

  • User475983607 posted

    Billson3000

    Add Max login attempts e.g. Account locks after 5 invalid attempts

    The Identity API you are using already has this feature and the default template adds the configuration in IdentityConfig.cs.  Simply create a new Web Forms project and use the Individual Account section to see the config.

    Billson3000

    Add functionality to force password reset after set amount of time. This could be a period e.g. 90 days or a push setting created by an admin account

    This is code that you must design and write.  I would use a LastPasswordUpdate claim to handle this logic.  Add the claim when the user creates the account.  Update the claim when the user updates the password.  Check the claim when the user logs in and redirect to the update password page if the password expired.  You can also add a column to the user table to hold the last password change DateTime.

    Wednesday, June 10, 2020 11:31 AM
  • User-1314346660 posted

    Hello mgebhard,

    Thanks for taking the time to reply.

    Re MAX Attempts... I have checked the Identity Config. It shows:

                // Configure user lockout defaults
                manager.UserLockoutEnabledByDefault = true;
                manager.DefaultAccountLockoutTimeSpan = TimeSpan.FromMinutes(5);
                manager.MaxFailedAccessAttemptsBeforeLockout = 5;
    
                manager.EmailService = new EmailService();
                manager.SmsService = new SmsService();
                var dataProtectionProvider = options.DataProtectionProvider;
                if (dataProtectionProvider != null)
                {
                    manager.UserTokenProvider = new DataProtectorTokenProvider<ApplicationUser>(dataProtectionProvider.Create("ASP.NET Identity"));
                }
                return manager;

    Which is what I thought was happening. Its only when I test this that I have found it isn't triggering a lockout. Any ideas?

    Billson3000

    Wednesday, June 10, 2020 1:04 PM
  • User475983607 posted

    Did you enable lockout for the user?  

    UserManager.SetLockoutEnabled(user.Id, true);

    Reference documentation.

    https://docs.microsoft.com/en-us/previous-versions/aspnet/mt151687(v%3Dvs.108)

    https://docs.microsoft.com/en-us/previous-versions/aspnet/mt151730(v%3Dvs.108)

    Wednesday, June 10, 2020 1:29 PM
  • User-1314346660 posted

    No I don't know how to do that. Hence the question on the forum !!! :)

    Wednesday, June 10, 2020 1:40 PM