SimpleMembershipProvider: webpages_Membership table

Question

SimpleMembershipProvider: webpages_Membership table

which is the best way to access information in webpages_Membership table using SimpleMembershipProvider in MVC 4? I am trying to implement an account block if it enters the wrong password three times.

Many thanks

+3

asp.net-mvc-4 asp.net-membership simplemembership membership-provider

Davide 21 jan. 13 at 13:34

source to share

2 answers

davide, to completely disable the user, you can create a new "Disabled" role and change the login code:

public ActionResult Login(LoginModel model, string returnUrl)
{
    string errorMsg = "The user name or password provided is incorrect.";
    if (Roles.IsUserInRole(model.UserName, "Disabled"))
    {
        errorMsg = "Your account has been disabled. Contact webmaster for more info.";
    }
    else if (ModelState.IsValid &&
        !WebSecurity.IsAccountLockedOut(model.UserName, 3, 180) &&
        WebSecurity.Login(model.UserName, model.Password, persistCookie: model.RememberMe))
    {
            return RedirectToLocal(returnUrl);
    }

    if (!WebSecurity.IsConfirmed(model.UserName))
    {
        errorMsg = "You have not completed the registration process. "
            + "To complete this process look for the email that provides instructions.";
    }

    // If we got this far, something failed, redisplay form
    ModelState.AddModelError("", errorMsg);
    return View(model);
}

+1

tired 02 Aug 13 at 21:24

source to share

Kevin Junghans · Accepted Answer · 2013-01-21T14:27:20+0000

Using SimpleMembership, you can access this information in the following way:

WebSecurity.IsAccountLockedOut(userName, allowedPasswordAttempts, intervalInSeconds)

IsAccountLockedOut returns whether the account is locked or not based on the number of attempts you want to allow and the time since the last failed login attempt. This is used to stop brute force attempts to crack the password by other machines. You would add this check where you authenticate the user, for example the Login Accounters Account method. You can do something like this:

    [HttpPost]
    [AllowAnonymous]
    [ValidateAntiForgeryToken]
    public ActionResult Login(LoginModel model, string returnUrl)
    {
        if (ModelState.IsValid && 
           !WebSecurity.IsAccountLockedOut(model.UserName, 3, 180) &&
           WebSecurity.Login(model.UserName, model.Password, persistCookie: model.RememberMe))
        {
            return RedirectToLocal(returnUrl);
        }

        // If we got this far, something failed, redisplay form
        ModelState.AddModelError("", "The user name or password provided is incorrect.");
        return View(model);
    }

In this case, you don't want to completely disable the user and allow the valid user to come back after the interval has passed. This is to stop brute force attacks, not people who forgot their password.

The IsConfirmed field is used during registration and you want the user to confirm that they have given you a valid email address. You will create and store a ConfirmationToken in a database that you email the user and ask them to click a link that will take them to a controller / action in your MVC app that will validate the token and set the IsConfirmed field to true.

SimpleMembershipProvider: webpages_Membership table

More articles: