ASP.NET Core 3.1 - Login Lockout
This article will describe the implementation of a configurable lockout pause after a configurable number of failed login attempts. I will assume you have downloaded the ASP.NET Core 3.1 - Users Without Identity Project or created a new ASP.NET Core 3.1 Razor Pages project. See Tutorial: Get started with Razor Pages in ASP.NET Core. You should review the earlier articles of the Users Without Identity Project series.
Users Without Identity Project and Article Series
Creation Series
- ASP.NET Core 3.1 - Users Without Identity
- ASP.NET Core 3.1 - User Entity
- ASP.NET Core 3.1 - Password Hasher
- ASP.NET Core 3.1 - User Management
- ASP.NET Core 3.1 - Admin Role
- ASP.NET Core 3.1 - Cookie Validator
- ASP.NET Core 3.1 - Concurrency Conflicts
- ASP.NET Core 3.1 - Must Change Password
- ASP.NET Core 3.1 - User Database Service
- ASP.NET Core 3.1 - Rename Related Entities
2FA Series
- ASP.NET Core 3.1 - 2FA Without Identity
- ASP.NET Core 3.1 - 2FA User Tokens
- ASP.NET Core 3.1 - 2FA Cookie Schemes
- ASP.NET Core 3.1 - 2FA Authenticating
- ASP.NET Core 3.1 - 2FA Sign In Service
- ASP.NET Core 3.1 - 2FA QR Code Generator
- ASP.NET Core 3.1 - Admin 2FA Requirement
- ASP.NET Core 3.1 - 2FA Admin Override
Enhanced User Series
- ASP.NET Core 3.1 - Enhanced User Without Identity
- ASP.NET Core 3.1 - 2FA Recovery Codes
- ASP.NET Core 3.1 - Login Lockout
- ASP.NET Core 3.1 - Created And Last Login Date
- ASP.NET Core 3.1 - Security Stamp
- ASP.NET Core 3.1 - Token Service
- ASP.NET Core 3.1 - Confirmed Email Address
- ASP.NET Core 3.1 - Password Recovery
UWIP v2 implements AccessFailedCount and LockoutEndDate properties for the AppUser. The AccessFailedCount is incremented for every identifiable failed login attempt.
Entities > AppUser:
[Display(Name = "Access Failed Count")] public int AccessFailedCount { get; set; } [Display(Name = "Lockout End")] public DateTimeOffset? LockoutEndDate { get; set; }
The UserService implements maxFailedAccessAttempts = 5 and LockoutTimeSpan = TimeSpan. FromMinutes(15) private readonly properties.
Services > UserService:
private readonly int maxFailedAccessAttempts = 5; private readonly TimeSpan lockoutTimeSpan = TimeSpan.FromMinutes(15);
The UserService implements a UpdateAppUserAccessFailedCountAsync function which is called after failed attempts on the Login, LoginWith2fa, and LoginWithRecoveryCode pages. If the failed access count is greater than or equal to the configured maximum number of attempts, the user will be locked out for the configured lockout time span.
Services > UserService:
public async Task<bool> UpdateAppUserAccessFailedCountAsync(int appUserId) { var appUser = await TrackAppUserByIdAsync(appUserId).ConfigureAwait(false); if (appUser == null) return false; appUser.AccessFailedCount++; // If this meets the threshold for lockout, lock them out and reset the access failed count if (appUser.AccessFailedCount >= maxFailedAccessAttempts) { appUser.LockoutEndDate = DateTimeOffset.UtcNow.Add(lockoutTimeSpan); appUser.AccessFailedCount = 0; } return await UpdateAppUserAsync(appUser, appUser.RowVersion).ConfigureAwait(false); }
The SignInService implements a PasswordSignInAsync function which returns a Microsoft. AspNetCore. Identity. SignInResult indicating the result of a sign in operation.
Services > SignInService:
public async Task<SignInResult> PasswordSignInAsync(string loginName, string password, bool isPersistent) { var appUser = await _userService.GetAppUserByLoginNameAsync(loginName).ConfigureAwait(false); if (appUser == null) return SignInResult.Failed; if (!appUser.EmailConfirmed) return SignInResult.NotAllowed; if (appUser.LockoutEndDate > DateTimeOffset.UtcNow) return SignInResult.LockedOut; return await PasswordSignInAsync(appUser, password, isPersistent).ConfigureAwait(false); }
If the SignInResult indicates LockedOut the user is redirected to the Locked Out page.
Update 02/23/2021
I updated the article links.
Comments(0)