Search code examples
c#asp.netasp.net-mvcauthenticationmembershipreboot

MembershipReboot lockout functionality issue

For a couple of days I am playing with MembershipReboot framework and being honest it looks very good. I would use it for my applications.

However, the question that I have is about its lockout functionality. I have tried to lock my account a couple of times, but it seems that nothing happens. Here is my configuration

<membershipReboot requireAccountVerification="true" emailIsUsername="false" multiTenant="false" allowAccountDeletion="true" passwordHashingIterationCount="0" accountLockoutDuration="00:05:00" passwordResetFrequency="0" accountLockoutFailedLoginAttempts="2" />

It seems that on my third or even fourth attempt I can login without any issue. Also I have investigated the DB that Membership uses and I cannot find any flags for a locked account.

My question is - is that lockout functionality comes already implemented out of the box or I have to do my logic there? If it is implemented, so can I enable it?

Solution

  • Account lockout in MembershipReboot uses two properties from security settings configuration

    • AccountLockoutFailedLoginAttempts (int, default: 10) : Number of failed password login attempts before the account is locked out.
    • AccountLockoutDuration (TimeSpan, default: 5 minutes): Duration an account will be locked due to too many failed password login attempts.

    In your settings your are overriding the default values. So if you try more than 2 failed login attempts within 5-minute window your account is locked for another 5 mins from your last failed login. if you try to log in five mins after your last failed login you will be logged in as the account is not locked according to the lockout logic. If you try to log-in within 5 mins and your failed attempts have not exceeded you can still log-in.

    Code is better than words(Check VerifyPassword method) You will see all required properties for account lockdown in UserAccounts table. Namely LastFailedLogin and FailedLoginCount

    protected virtual bool CheckHasTooManyRecentPasswordFailures(TAccount account)
    {
        var result = false;
        if (Configuration.AccountLockoutFailedLoginAttempts <= account.FailedLoginCount)
        {
            result = account.LastFailedLogin >= UtcNow.Subtract(Configuration.AccountLockoutDuration);
            if (!result)
            {
                // if we're past the lockout window, then reset to zero
                account.FailedLoginCount = 0;
            }
        }

        if (result)
        {
            account.FailedLoginCount++;
        }

        return result;
    }