I think that you should find the section for the Membership Provider in the webconfig, and the add the attribute maxInvalidPasswordAttempts="5" for the UsersMembershipProvider. Like below.
Hi,
Thanks once more for your help.
It's funny, we just found this too - the only disadvantage of this package is there is no way to Activate the users account once the user locks themselves out of the CMS. It doesn't actually use the UmbracoUser table to log the failed attempts but uses it's own new table called umbracoUserLoginAttempts.
It doesn't set the userDisabled flag in the UmbracoUser table - the new dll just checks the umbracoUserLoginAttempts table and doesn't give the Admin user an option to reinstate the user via the CMS.
I ended up rolling my own logic.... on my login request i use the following code to check for FailedPasswordAttempts
var memberService = ApplicationContext.Current.Services.MemberService;
var member = memberService.GetByUsername(username);
if(member.IsLockedOut==true){
TimeSpan lockedOutTimeSpan = DateTime.Now - (DateTime)member.LastLockoutDate;
TimeSpan fiveMinTimeSpan = new TimeSpan(0, 5, 0);
TimeSpan timeLeft = fiveMinTimeSpan.Subtract(lockedOutTimeSpan);
if(timeLeft.CompareTo(TimeSpan.Zero) > 0){
Response.Write("{\"Response\":\"Error\",\"Message\":\"You have entered the wrong password more than 10 times in a row, you account is still locked for another "+timeLeft.Minutes+" min and "+timeLeft.Seconds+" seconds.\",\"Type\":4}");
Response.End();
return;
}else{
member.IsLockedOut = false;
member.FailedPasswordAttempts = 0;
memberService.Save(member);
}
}else if(member.FailedPasswordAttempts==10 ){
member.IsLockedOut = true;
member.LastLockoutDate = DateTime.Now;
memberService.Save(member);
Response.Write("{\"Response\":\"Error\",\"Message\":\"You have entered the wrong password more than 10 times in a row, you account is now locked for 5 min.\",\"Type\":5}");
Response.End();
return;
}
//Membership.ValidateUser increases FailedPasswordAttempts.
if (!Membership.ValidateUser(username,password)){
Response.Write("{\"Response\":\"Error\",\"Message\":\"The password you entered is incorrect. Please try again (make sure your caps lock is off).\",\"Type\":3}");
Response.End();
return;
}
As a work around we have added two triggers in the db - one on the umbracoUserLoginAttempts which sets the userDisabled flag as 1 if the number of attempts reaches 3. And one on the umbracoUser table if the flag has been reset to 0 on the userDisabled table which deletes the user entry in the umbracoUserLoginAttempts table.
User Provider
Hi, When using Umbraco 7.2 is there a way to lock out a user if they exceed, say, 3 or 5 login attempts?
Jon
Hi Jonathan
Out of the box there is no such logic - But perhaps you're able to set it up yourself somehow. This could perhaps be a starting point? https://msdn.microsoft.com/en-us/library/system.web.security.membership.maxinvalidpasswordattempts%28v=vs.110%29.aspx
/Jan
Hi, Does that mean changing the UserMembership provider in the Config etc?
Hi Johathan,
I think that you should find the section for the Membership Provider in the webconfig, and the add the attribute maxInvalidPasswordAttempts="5" for the UsersMembershipProvider. Like below.
Hope this helps,
/Dennis
Hi, Thanks for your help. We have already tried this and the UmbracoUser table doesn't have a FailAttempt column to log anything against.
Hi Jonathan
Just discovered this package - Could that work for you? https://our.umbraco.org/projects/website-utilities/lockout-membership-provider
/Jan
Hi, Thanks once more for your help. It's funny, we just found this too - the only disadvantage of this package is there is no way to Activate the users account once the user locks themselves out of the CMS. It doesn't actually use the UmbracoUser table to log the failed attempts but uses it's own new table called umbracoUserLoginAttempts. It doesn't set the userDisabled flag in the UmbracoUser table - the new dll just checks the umbracoUserLoginAttempts table and doesn't give the Admin user an option to reinstate the user via the CMS.
Jon
Hello Jonathan,
I ended up rolling my own logic.... on my login request i use the following code to check for FailedPasswordAttempts
Vlad
As a work around we have added two triggers in the db - one on the umbracoUserLoginAttempts which sets the userDisabled flag as 1 if the number of attempts reaches 3. And one on the umbracoUser table if the flag has been reset to 0 on the userDisabled table which deletes the user entry in the umbracoUserLoginAttempts table.
Hope this helps Jon
Hi Vlad, It's using Memberservice and not UserService. We need the Admin user login to lock on failed attempts.
Jon
The Trigger is a great idea.
is working on a reply...