I am using Umbraco 7.3 and the number of failed login attempts is 5 in the membership area.
How to display a message to the user if an account is locked out after failed login attempts on Umbraco cms login page ?
I am having the same challenge. Although I believe your solution is only a half solution. With the code above, you get the User, but you don't validate if it is the actual user, which would be done by validating their password.
Otherwise anyone could arbitrarily find out who is a member of the site just by entering in their username and a false password multiple times till it locks out and then a message indicating that the current user is locked out would display. This would be exploitable since I would now know the username of an actual user.
I would think that the proper approach would be to check if the user exists and if the password is correct then display if user is locked out.
Display a message if an account is locked out after failed login attempts
I am using Umbraco 7.3 and the number of failed login attempts is 5 in the membership area. How to display a message to the user if an account is locked out after failed login attempts on Umbraco cms login page ?
Hi Das,
in your Action method of your SurfaceController that does the login you can catch the member by its username and password or by e-mail.
Then the Member object has a property called IsLockedOut.
Here you can do a check on it to see if its true or not and show a correct message in your view.
SurfaceController action method
View
*Code manually typed so untested!
Hope this helps!
/Michaël
Hi Das,
did you get it working using the solution I provided? Or do you still have issues?
/Michaël
Thanks for answer. yes its working.
I am having the same challenge. Although I believe your solution is only a half solution. With the code above, you get the User, but you don't validate if it is the actual user, which would be done by validating their password.
Otherwise anyone could arbitrarily find out who is a member of the site just by entering in their username and a false password multiple times till it locks out and then a message indicating that the current user is locked out would display. This would be exploitable since I would now know the username of an actual user.
I would think that the proper approach would be to check if the user exists and if the password is correct then display if user is locked out.
Any thoughts would greatly be appreciated.
is working on a reply...