User Lockout in ASP.NET Core Identity

User Lockout in ASP.NET Core Identity

The ASP.NET Core Identity has a User Lockout feature to improve application security by locking out a user that enters a password incorrectly several times. This technique is very useful in protecting against brute force attacks, where a hacker repeatedly tries to guess a password.

In this tutorial you will learn how to implement the user lockout feature in your application.

User Lockout Configuration

To enable the User Lockout in Identity use the AddIndentity method to configure it in the ConfigureServices method of the Startup.cs class. The below code shows this thing.

services.Configure<IdentityOptions>(opts =>
{
    opts.Lockout.AllowedForNewUsers = true;
    opts.Lockout.DefaultLockoutTimeSpan = TimeSpan.FromMinutes(10);
    opts.Lockout.MaxFailedAccessAttempts = 3;
});

I enabled the user lockout feature is by setting the AllowedForNewUsers property to “true”. Additionally, I also configured a lockout time span to 10 minutes from the property called DefaultLockoutTimeSpan, and maximum failed login attempts to three from another property called MaxFailedAccessAttempts.

The AspNetUsers table of Identity database has 3 columns to store lockout settings of a user. These are:

  • LockoutEnabled column will specify if user lockout is enabled or not.
  • AccessFailedCount column will increase for every failed login attempt and reset once the account is locked out.
  • LockoutEnd column will have a DateTime value to represent the period until this account is locked out.

I have shown them in the below screenshot.

lockout columns
When a user forgets his/her password then he/she should be able to reset the password. Check How this feature is created – Creating Password Reset feature in ASP.NET Core Identity

Implementing User Lockout in the Login Page

I already have created the login feature which Implements the Authentication of Users in ASP.NET Core Identity. Here I will modify it to check if the user’s account is locked out and give him this message during login time.

In my case the login feature is located on the Login action of the Account Controller. I have added a check called result.IsLockedOut to find out if the user is locked out or not, and telling him to wait for 10 minutes time, and then try login once again. I have highlighted the necessary code shown below.

[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<IActionResult> Login(Login login)
{
    if (ModelState.IsValid)
    {
        AppUser appUser = await userManager.FindByEmailAsync(login.Email);
        if (appUser != null)
        {
            await signInManager.SignOutAsync();
            Microsoft.AspNetCore.Identity.SignInResult result = await signInManager.PasswordSignInAsync(appUser, login.Password, false, true);
            if (result.Succeeded)
                return Redirect(login.ReturnUrl ?? "/");

            if (result.IsLockedOut)
                ModelState.AddModelError("", "Your account is locked out. Kindly wait for 10 minutes and try again");
        }
        ModelState.AddModelError(nameof(login.Email), "Login Failed: Invalid Email or password");
    }
    return View(login);
}

Notice that I have passed true for the 4th column, which is lockoutOnFailure, of the PasswordSignInAsync method to enable the lockout functionality.

Microsoft.AspNetCore.Identity.SignInResult result = await signInManager.PasswordSignInAsync(appUser, login.Password, false, true);
Testing User Lockout feature

Test the functionality by running the application on Visual Studio. Then try login one time in an account with a wrong password and then check the value of AccessFailedCount column of the AspNetUsers table of Identity database. You will notice the value is increased to 1 as shown by the below image.

accessfailedcount value increased

Try login with wrong password for 2 more times (in total 3 times). Then check the value of AccessFailedCount column. You will see the AccessFailedCount column’s value is reset to 0 and column called LockoutEnd has a date time value specifying time when the lockout will end.

I have shown this in the below image.

lockoutend column

In fact you can go one step further by informing the user about a locked out account. Ask him to reset the password or report that something is strange because they didn’t try to log in, which means that someone is trying to hack the account. I have already explained How to create the Reset Password feature in ASP.NET Core Identity in my previous tutorial, and you will find it very useful.

You can download the full codes of this tutorial from the below link:

Download

Conclusion

In this article you covered a lot of things which are:

  • How to create a User Lockout configuration
  • How to implement User Lockout configuration.
I hoped you enjoyed reading and learning it. Check out my other tutorial – How to perform Email Confirmation of Users in ASP.NET Core Identity

SHARE THIS ARTICLE

  • linkedin
  • reddit
yogihosting

ABOUT THE AUTHOR

I hope you enjoyed reading this tutorial. If it helped you then consider buying a cup of coffee for me. This will help me in writing more such good tutorials for the readers. Thank you. Buy Me A Coffee donate

Leave a Reply

Your email address will not be published. Required fields are marked *