Geek Answers Handbook

ASP.Net Core SignInManager lockoutOnFailure

ASP.Net Core has a SignInManager that handles user authentication. One of the methods is PasswordSignInAsync(string username, string password, bool isPersistent, bool lockoutOnFailure) . Setting lockoutOnFailure to true should temporarily block the user after a certain number of failed login attempts.

Looking at the AspNetUsers table in the database, I see the following:

  • AccessFailedCount increases by 1 for each failed access, when it reaches 5, it goes to 0.
  • If you switch to 0, LockoutTimeEnd will be set to 5 minutes in the future.
  • LockoutEnabled, however, remains 0 even after rollover, and the user can continue to login.

It seems that the provided feature is to allow 5 login attempts, and then lock the account for 5 minutes.

So my questions are:

  • How to set the number of allowed failed logins?
  • How to set a blocking period?
  • Why does the lock trigger not start?
+5
source share
1 answer
  • How to set the number of allowed failed logins?
  • How to set a blocking period?

The default project template uses the extension method to configure the AddIdentity<TUser, TRole> (in the Startup class ConfigureServices method). There is an overload of this method, which you can configure IdentityOptions .

Instead

 services.AddIdentity<ApplicationUser, IdentityRole>() .AddEntityFrameworkStores<ApplicationDbContext>() .AddDefaultTokenProviders();

you can use

 var lockoutOptions = new LockoutOptions() { AllowedForNewUsers = true, DefaultLockoutTimeSpan = TimeSpan.FromMinutes(5), MaxFailedAccessAttempts = 5 }; services.AddIdentity<ApplicationUser, IdentityRole>(options => { options.Lockout = lockoutOptions; }) .AddEntityFrameworkStores<ApplicationDbContext>() .AddDefaultTokenProviders();

The above does not make sense, since these are the default values โ€‹โ€‹of LockoutOptions , but you can change them as you wish.

+7
source

More articles:


All Articles