Asp.net Membership Lock Out

Asp.net Membership Lock Out

am 03.01.2008 19:30:59 von rmgalante

I am using the standard asp.net membership provider. I have users who
forget their password. They attempt to login 5 times and they get
locked out. The membership configuration in web.config follows.

enablePasswordReset="true" requiresQuestionAndAnswer="false"
applicationName="SomeApp" requiresUniqueEmail="true"
passwordFormat="Hashed" maxInvalidPasswordAttempts="5"
passwordAttemptWindow="10" passwordStrengthRegularExpression=""
minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0"
name="AspNetSqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider"/>

Once the user is locked out, the reset password doesn't work. I have
to unlock the user before it will send a new password. Is this the
correct operation of this feature? Do I have to manually unlock these
users before they can retrieve a new password?

Thanks.

Rob

Re: Asp.net Membership Lock Out

am 03.01.2008 23:33:39 von Phil H

On 3 Jan, 18:30, rmgala...@galaware.com wrote:
> I am using the standard asp.net membership provider. I have users who
> forget their password. They attempt to login 5 times and they get
> locked out. The membership configuration in web.config follows.
>
> > enablePasswordReset="true" requiresQuestionAndAnswer="false"
> applicationName="SomeApp" requiresUniqueEmail="true"
> passwordFormat="Hashed" maxInvalidPasswordAttempts="5"
> passwordAttemptWindow="10" passwordStrengthRegularExpression=""
> minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0"
> name="AspNetSqlMembershipProvider"
> type="System.Web.Security.SqlMembershipProvider"/>
>
> Once the user is locked out, the reset password doesn't work. I have
> to unlock the user before it will send a new password. Is this the
> correct operation of this feature? Do I have to manually unlock these
> users before they can retrieve a new password?
>
> Thanks.
>
> Rob

Hi

The help files for the Membership class say this:

"If the number of invalid passwords or password answers entered for a
membership user is greater than or equal to the value of the
MaxInvalidPasswordAttempts property within the number of minutes
specified by the PasswordAttemptWindow property, then the user is
locked out of the Web site by setting the IsLockedOut property to true
until the user is unlocked by a call to the UnlockUser method.

If a valid password or password answer is supplied before the value of
the MaxInvalidPasswordAttempts property is reached, the counter that
tracks the number of invalid attempts is set to zero."

My interpretation of this is that a lock-out status cannot be undone
with a belated request for help by the user.

If I'm right then the only way round it is to create a custom process
for password retrieval that will execute the UnLockuser method once
the user has been verified as genuine (perhaps by e-mail).

Re: Asp.net Membership Lock Out

am 08.01.2008 14:45:19 von rmgalante

On Jan 3, 5:33=A0pm, Phil H wrote:
> On 3 Jan, 18:30, rmgala...@galaware.com wrote:
>
>
>
>
>
> > I am using the standard asp.net membership provider. I have users who
> > forget their password. They attempt to login 5 times and they get
> > locked out. The membership configuration in web.config follows.
>
> > > > enablePasswordReset=3D"true" requiresQuestionAndAnswer=3D"false"
> > applicationName=3D"SomeApp" requiresUniqueEmail=3D"true"
> > passwordFormat=3D"Hashed" maxInvalidPasswordAttempts=3D"5"
> > passwordAttemptWindow=3D"10" passwordStrengthRegularExpression=3D""
> > minRequiredPasswordLength=3D"6" minRequiredNonalphanumericCharacters=3D"=
0"
> > name=3D"AspNetSqlMembershipProvider"
> > type=3D"System.Web.Security.SqlMembershipProvider"/>
>
> > Once the user is locked out, the reset password doesn't work. I have
> > to unlock the user before it will send a new password. Is this the
> > correct operation of this feature? Do I have to manually unlock these
> > users before they can retrieve a new password?
>
> > Thanks.
>
> > Rob
>
> Hi
>
> The help files for the Membership class say this:
>
> "If the number of invalid passwords or password answers entered for a
> membership user is greater than or equal to the value of the
> MaxInvalidPasswordAttempts property within the number of minutes
> specified by the PasswordAttemptWindow property, then the user is
> locked out of the Web site by setting the IsLockedOut property to true
> until the user is unlocked by a call to the UnlockUser method.
>
> If a valid password or password answer is supplied before the value of
> the MaxInvalidPasswordAttempts property is reached, the counter that
> tracks the number of invalid attempts is set to zero."
>
> My interpretation of this is that a lock-out status cannot be undone
> with a belated request for help by the user.
>
> If I'm right then the only way round it is to create a custom process
> for password retrieval that will execute the UnLockuser method once
> the user has been verified as genuine (perhaps by e-mail).- Hide quoted te=
xt -
>
> - Show quoted text -

My solution is to unlock the user in the PasswordRecovery event,
VerifyingUser.