Search code examples
asp.net-mvc-4asp.net-membershipmembership-providersimplemembership

SimpleMembershipProvider: webpages_Membership table


which is the best method to access to webpages_Membership table informations using a SimpleMembershipProvider in MVC 4? I'm trying to implement the account block if he / she input a wrong password for three times ..

Many thanks


Solution

  • Using SimpleMembership you would access this information with the following method:

    WebSecurity.IsAccountLockedOut(userName, allowedPasswordAttempts, intervalInSeconds)
    

    IsAccountLockedOut returns whether the account is locked or not based on the number of attempts you want to allow and the time since the last failed logon attempt. This is used to stop brute force attempts to crack the password by other machines. You would add this check where you authenticate the user, such as the Account controllers Login method. You could do something like this:

        [HttpPost]
        [AllowAnonymous]
        [ValidateAntiForgeryToken]
        public ActionResult Login(LoginModel model, string returnUrl)
        {
            if (ModelState.IsValid && 
               !WebSecurity.IsAccountLockedOut(model.UserName, 3, 180) &&
               WebSecurity.Login(model.UserName, model.Password, persistCookie: model.RememberMe))
            {
                return RedirectToLocal(returnUrl);
            }
    
            // If we got this far, something failed, redisplay form
            ModelState.AddModelError("", "The user name or password provided is incorrect.");
            return View(model);
        }
    

    You do not want to completely disable the user in this case and allow a valid user to get back in after the interval has passed. This to stop brute force attacks and not people that forgot their password.

    The IsConfirmed field is used during registration you want the user to confirm they gave you a valid email address. You would generate and store a ConfirmationToken in the database that you would email to the user and instruct them to click on a link that would take them to a controller/action in your MVC app that would verify the token and set the IsConfirmed field to true.