Asked by:
Password Reset and Attempts

Question
-
User-1314346660 posted
Hello experts,
I have a web forms application that uses Microsoft Identity to manage users and permissions. Its set up as per below:
I am trying to implement two additional functions but cannot find a tutorial to help me do it. They are:
- Add Max login attempts e.g. Account locks after 5 invalid attempts
- Add functionality to force password reset after set amount of time. This could be a period e.g. 90 days or a push setting created by an admin account
Can anyone point me in the right direction to implement this. I am very grateful for any advice. Thanks in advance.
Billson3000
Wednesday, June 10, 2020 9:58 AM
All replies
-
User475983607 posted
Billson3000
Add Max login attempts e.g. Account locks after 5 invalid attemptsThe Identity API you are using already has this feature and the default template adds the configuration in IdentityConfig.cs. Simply create a new Web Forms project and use the Individual Account section to see the config.
Billson3000
Add functionality to force password reset after set amount of time. This could be a period e.g. 90 days or a push setting created by an admin accountThis is code that you must design and write. I would use a LastPasswordUpdate claim to handle this logic. Add the claim when the user creates the account. Update the claim when the user updates the password. Check the claim when the user logs in and redirect to the update password page if the password expired. You can also add a column to the user table to hold the last password change DateTime.
Wednesday, June 10, 2020 11:31 AM -
User-1314346660 posted
Hello mgebhard,
Thanks for taking the time to reply.
Re MAX Attempts... I have checked the Identity Config. It shows:
// Configure user lockout defaults manager.UserLockoutEnabledByDefault = true; manager.DefaultAccountLockoutTimeSpan = TimeSpan.FromMinutes(5); manager.MaxFailedAccessAttemptsBeforeLockout = 5; manager.EmailService = new EmailService(); manager.SmsService = new SmsService(); var dataProtectionProvider = options.DataProtectionProvider; if (dataProtectionProvider != null) { manager.UserTokenProvider = new DataProtectorTokenProvider<ApplicationUser>(dataProtectionProvider.Create("ASP.NET Identity")); } return manager;
Which is what I thought was happening. Its only when I test this that I have found it isn't triggering a lockout. Any ideas?
Billson3000
Wednesday, June 10, 2020 1:04 PM -
User475983607 posted
Did you enable lockout for the user?
UserManager.SetLockoutEnabled(user.Id, true);
Reference documentation.
https://docs.microsoft.com/en-us/previous-versions/aspnet/mt151687(v%3Dvs.108)
https://docs.microsoft.com/en-us/previous-versions/aspnet/mt151730(v%3Dvs.108)
Wednesday, June 10, 2020 1:29 PM -
User-1314346660 posted
No I don't know how to do that. Hence the question on the forum !!! :)
Wednesday, June 10, 2020 1:40 PM