Lock user after five failed login attempts and show an error in MVC3 Asp.net

Question

I want to show an error to the user after 5 failed login attempts and then lock her, I set this in web.config

  maxInvalidPasswordAttempts="5"

Now I want to check user login attemps in LogOn controller and send an error if this parameter is more than 5, How can I count user login attemps and check it? here is my controller:

    //
    // GET: /Account/LogOn


    public ActionResult LogOn()
    {
        return View();
    }

    //
    // POST: /Account/LogOn


    [HttpPost]
    public ActionResult LogOn(LogOnModel model, string returnUrl)
    {
        if (ModelState.IsValid)
        {

            if (Membership.ValidateUser(model.UserName, model.Password))
            {

                    FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe);
                    if (Url.IsLocalUrl(returnUrl) && returnUrl.Length > 1 && returnUrl.StartsWith("/")
                        && !returnUrl.StartsWith("//") && !returnUrl.StartsWith("/\\"))
                    {
                        return Redirect(returnUrl);
                    }
                    else
                    {
                        return RedirectToAction("Index", "Home");
                    }
                }
                else
                {
                    ModelState.AddModelError("", "The user name or password provided is incorrect.");
                }
        }

        // If we got this far, something failed, redisplay form
             return View(model);
       }

Answer 1

Try this, It can help you

First create property as attempt and set each time using javascript and send with Logon. Check if this is max number of attempt then lock the user.

Answer 2

IN your else statement, you will need to persist the current number of failed attempts and check that the number is not greater than your setting.

Answer 3

         attempt = attempt - 1;
         MessageBox.Show`enter code here`("Incorrect Credentials");
         MessageBox.Show("You only have " + attempt + " attempt(s) left");
         con.Close();
      }
   }
   else
   {
      MessageBox.Show("Empty Fields shit");
   }
}

this.Hide();
Form3 ss = new Form3();
ss.Show();

Answer 4

Try too add it as attribute.

1. when the login fail set attempt count in cookie.
   

2. add customize attribute.

   public class testAttribute : AuthorizeAttribute
   {
      protected override bool AuthorizeCore(HttpContextBase httpContext)
      {
   
       HttpCookie cookie = httpContext.Request.Cookies.Get("cookieName");
       if(Int32.TryParse(cookie.Value) == 5)
       {
       httpContext.Response.StatusCode = 401;
       httpContext.Response.End();
       return false;
       }
       else
       return true;
      }
   }
   

3. use created attribute in your login function.

   [HttpPost]
   [testAttribute]
   public ActionResult LogOn(LogOnModel model, string returnUrl)
   {
    if (ModelState.IsValid)
   {
   
       if (Membership.ValidateUser(model.UserName, model.Password))
       {
   
               FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe);
               if (Url.IsLocalUrl(returnUrl) && returnUrl.Length > 1 && returnUrl.StartsWith("/")
                   && !returnUrl.StartsWith("//") && !returnUrl.StartsWith("/\\"))
               {
                   return Redirect(returnUrl);
               }
               else
               {
                   return RedirectToAction("Index", "Home");
               }
           }
           else
           {
               ModelState.AddModelError("", "The user name or password provided is incorrect.");
           }
   }
   
   // If we got this far, something failed, redisplay form
        return View(model);
   }