Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Arunabha Das 38 posts 151 karma points
    Feb 13, 2017 @ 07:33
    Arunabha Das
    0

    Display a message if an account is locked out after failed login attempts

    I am using Umbraco 7.3 and the number of failed login attempts is 5 in the membership area. How to display a message to the user if an account is locked out after failed login attempts on Umbraco cms login page ?

  • Michaël Vanbrabandt 863 posts 3348 karma points c-trib
    Feb 13, 2017 @ 08:29
    Michaël Vanbrabandt
    100

    Hi Das,

    in your Action method of your SurfaceController that does the login you can catch the member by its username and password or by e-mail.

    Then the Member object has a property called IsLockedOut.

    Here you can do a check on it to see if its true or not and show a correct message in your view.

    SurfaceController action method

    var member = Membership.GetUser("username");
    if(member != null && member.IsLockedOut)
    {
        TempData["LockedOut"] = true;
    }
    

    View

    @if(TempData["LockedOut"] != null)
    {
        <p>You are locked out!</p>
    }
    

    *Code manually typed so untested!

    Hope this helps!

    /Michaël

  • Michaël Vanbrabandt 863 posts 3348 karma points c-trib
    Mar 17, 2017 @ 13:07
    Michaël Vanbrabandt
    0

    Hi Das,

    did you get it working using the solution I provided? Or do you still have issues?

    /Michaël

  • Arunabha Das 38 posts 151 karma points
    Oct 09, 2017 @ 09:09
    Arunabha Das
    1

    Thanks for answer. yes its working.

  • Charles R. Matvchuk 18 posts 124 karma points
    Oct 04, 2017 @ 01:09
    Charles R. Matvchuk
    0

    I am having the same challenge. Although I believe your solution is only a half solution. With the code above, you get the User, but you don't validate if it is the actual user, which would be done by validating their password.

    Otherwise anyone could arbitrarily find out who is a member of the site just by entering in their username and a false password multiple times till it locks out and then a message indicating that the current user is locked out would display. This would be exploitable since I would now know the username of an actual user.

    I would think that the proper approach would be to check if the user exists and if the password is correct then display if user is locked out.

    Any thoughts would greatly be appreciated.

Please Sign in or register to post replies

Write your reply to:

Draft