Sunday, April 3, 2011

ASP.NET 2.0 Membership: ValidateUser not locking out the user?

Hi

I am using the default SQLMembershipProvider in my ASP.NET 2.0 website, and expect the Membership.ValidateUser to lock-out the user after entering a number of wrong passwords (5, in my case) but ValidateUser doesn't seem to be caring about keeping count of bad password attempts and locking out the user.

What's wrong?

The Membership configuration in my web.config:

<membership defaultProvider="SqlMembershipProvider" >
   <providers>
     <clear />
      <add connectionStringName="ConnectionStringName" enablePasswordRetrieval="true"
         enablePasswordReset="true" requiresQuestionAndAnswer="false"
         requiresUniqueEmail="true" passwordFormat="Encrypted" maxInvalidPasswordAttempts="5"
         minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0"
         passwordAttemptWindow="10" passwordStrengthRegularExpression=""
         applicationName="MyApp" name="SqlMembershipProvider"
         type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
   </providers>
</membership>
From stackoverflow

  • what is the PasswordAttemptWindow and MaxInvalidPasswordAttempts set to? and is these configuration settings set in the correct web.config? (the one actual in use by the test environment)

  • Here's the config for my membership usage which is working as required if it's of any use:

    <membership defaultProvider="AspNetSqlMembershipProvider" userIsOnlineTimeWindow="30">
  <providers>
    <remove name="AspNetSqlMembershipProvider" />
    <!-- 
      Membership defaults mainly below this point:
      connString, reqQ&A - modified - all others currently default.
    -->
    <add connectionStringName="CustomSqlServerProvider"
          name="AspNetSqlMembershipProvider"
          type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
          enablePasswordRetrieval="false"
         enablePasswordReset="true"
         requiresQuestionAndAnswer="false"
         requiresUniqueEmail="false"
         passwordFormat="Hashed"
         maxInvalidPasswordAttempts="5"
         minRequiredPasswordLength="7"
         minRequiredNonalphanumericCharacters="1"
         passwordAttemptWindow="10"
         passwordStrengthRegularExpression=""
         applicationName="/" />
  </providers>
</membership>

    Also, have you tried using the .Login() method for the authentication process instead? That's what i'm using rather than validateuser().

    TheAgent : You've removed "AspNetSqlMembershipProvider" and set defaultProvider to point to it? Are you sure it works?
    ThorHalvor : as he says "which is working as required if it's of any use"
    TheAgent : What .Login method? What class does this method belong to?
    Tanner : yes it works, as it removes the deafult "AspNetSqlMembershipProvider" which is taken from machine.config. then uses my provided provider instead.
    Tanner : My Bad - my app uses membership via a wcf authentication service (as we have a windows app that requires login). The authentication service provides a login method which must call the validateuser() method further along.

  • Please set the user.[IsApproved] to true

Posted by Ku XI at 11:39 PM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)