ASP.Net Identity 2.0 AccessFailedCount not incrementing

You have to handle this manually. The CheckPassword method calls the PasswordHasher.VerifyHashedPassword method to validate the password, but it does not update access failed count when the provided password does not match the existing one.

Here's an example of an authenticate method that supports lockout:

UserManager<User> userManager = new UserManager<User>(new UserStore());

if (userManager.SupportsUserLockout && userManager.IsLockedOut(userId))
    return;

var user = userManager.FindById(userId);
if (userManager.CheckPassword(user, password))
{
    if (userManager.SupportsUserLockout && userManager.GetAccessFailedCount(userId) > 0)
    {
        userManager.ResetAccessFailedCount(userId);
    }

    // Authenticate user
}
else
{
    if (userManager.SupportsUserLockout && userManager.GetLockoutEnabled(userId))
    {
        userManager.AccessFailed(userId);
    }
}

There is also the PasswordSignInAsync which accepts a "shouldLockout" argument. Setting this to true will auto increment failed login attempts

var result = await SignInManager.PasswordSignInAsync(model.Email, model.Password, model.RememberMe, shouldLockout: true);

For .NET Core 2.1 the shouldLockout is now named lockoutOnFailure

So your login call should look like this to increment failed login attempts:

var result = await SignInManager.PasswordSignInAsync(loginModel.Email, loginModel.Password, loginModel.RememberMe, lockoutOnFailure: true);

This will also reset the failed login attempts once the user logs in successfully.

ASP.Net Identity 2.0 AccessFailedCount not incrementing

Tags:

C#

Asp.Net

Authentication

Asp.Net Mvc

Asp.Net Identity

Related

Recent Posts