Tracking failed login attempts

Posted by D-Bar under C# on 10/17/2012 | Points: 10 | Views : 12627 | Status : [Member] | Replies : 1
Hi All, I have an ASP.NET 4.0 C# site. I am tracking failed log in attempts. After 3 I lock account. I am using a database to keep track of invalid login attempts. I got it to work if user enters 3 bad attempts in a row. My problem is if they only have 2 failed attempts, I need to delete info in database before next user tries to log in, if I don't and they have just 1 failed attempt they will be locked out. I tried using if !IsPostBack on Page load, but apparently clicking on a link that brings user back to log in page is NOT a postback. Any ideas or suggestions would be greatly appreciated.



Posted by: Vasanthmvp on: 10/17/2012 [Member] Starter | Points: 25

Hi D-Bar, its better to write a stored procedure for this.
Suppose i have a table Customers (UserName, Password, IsActive)
Maintain a separate table LoginFailedUsers with (Username,Attempts,DateTimeOfLock).Each time when a user gets logged in

1.(IF) Check whether username actually exists or not.
2.(IF) UserName exists and User's credentials are correct and IsActive is true.
2.(ELSE) If not, Insert this username into LoginFailedUsers with attempt count as 1.
If next time the user tries to make wrong attempts with the username existing in the loginFailedUsers then increase the attemptscount.

Under this else, check if the count is greater than or equal to 3. If it reaches 3 then lock the user. At this time i.e user a/c lock only, you can set the current date time and IsActive in the Customers table to False. so that you can maintain a time difference after which user account gets activated as well as you can show a time difference message like "3 Attempts failed,Your account has been temporarily blocked.. you can access it after 3 minutes."

3.Take a outparameter value no of attempts failed, so that you can show to the user the number of attempts left to login.
4.For each if and else case, return some value depending on which a switch case statement can be used in the aspx page and accordingly a message can be rendered to the user.

By the above case, if we use static type also.. we cannot do that way bcoz it doesnot maintain isolation among different users.

Still not clear, let me know.

Awesome Coding !! :)

D-Bar, if this helps please login to Mark As Answer. | Alert Moderator

Login to post response