Based on the guides I've read online, to lockout the user after x many attempts you have to configure the manager like this:
manager.UserLockoutEnabledByDefault = true;
manager.DefaultAccountLockoutTimeSpan = TimeSpan.FromDays(365);
manager.MaxFailedAccessAttemptsBeforeLockout = 1;
Then
var result = await SignInManager.PasswordSignInAsync(dto.Email, dto.Password, dto.RememberMe, shouldLockout: true);
When I tried this my users never get locked out. I was monitoring the database and I see the following fields:
LockoutEndDateUtc LockoutEnabled AccessFailedCount
2016-04-23 21:33:18.777 0 0
2016-04-23 21:32:36.470 1 0
The AccessFailedCount never increases and the Lockout Enabled for both accounts doesn't seem to matter, I tried locking both.
EDIT:
I am wondering if the problem is with the way I am injecting:
Startup.cs
private IAppBuilder _app;
public void Configuration(IAppBuilder app)
{
ConfigureAuth(app);
_app = app;
app.UseNinjectMiddleware(CreateKernel);
}
private IKernel CreateKernel()
{
var kernel = new StandardKernel();
kernel.Load(Assembly.GetExecutingAssembly());
kernel.Bind<DbContext>().ToSelf().InRequestScope();
kernel.Bind<IDbContext>().To<DbContext>().InRequestScope();
kernel.Bind<IUserStore<User>>().To<ApplicationUserStore>();
kernel.Bind<UserService>().ToSelf();
kernel.Bind<SignInService>().ToSelf();
kernel.Bind<IAuthenticationManager>().ToMethod(x => HttpContext.Current.GetOwinContext().Authentication);
kernel.Bind<IDataProtectionProvider>().ToMethod(x => _app.GetDataProtectionProvider());
return kernel;
}
Recently I also found this out and my solution was to manually increment the failed attemps. It automatically resets when maximum is reached and a timed account lock is activated.
if (!UserManager.CheckPassword(usr, password)) {
// incorrect password... increment failed count
if (UserManager.AccessFailed(usr.Id) != IdentityResult.Success) {
// increment of failed attempt gave an error
Log.Err("Error Message");
}
// warn the user
return View(model);
}
IdentityConfig.cs
file has:
// configure user lockout defaults
manager.UserLockoutEnabledByDefault = true;
manager.DefaultAccountLockoutTimeSpan = TimeSpan.FromMinutes(15);
manager.MaxFailedAccessAttemptsBeforeLockout = 5;
And if the account is locked, this code checks for it:
if (UserManager.IsLockedOut(usr.Id)) {
// account locked, too many attempts
// warn user - number of minutes locked = UserManager.DefaultAccountLockoutTimeSpan.Minutes
return View(model);
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.