I am a new guy in asp.net. This is my first question in this site.I want to block accessing the resource after 10 unsuccessful login attempts. I want to add limitation to that user that when user wrong attempt for 10 times, I need to list that user in block
list. All operation should be done using database in ado.net entity data model.
First of all Thank you for your reply, I am not using membership database,also I want to do it in asp.net web api not in .net core. I am just sending json request to server like:
I want to add incoming ip to block list, if it attempt more than 10 unsuccessful login. I have store these values in database. what is the best approach to do so please help. I have tried maintaining count but I am unsuccessful. </div>
I want to add incoming ip to block list, if it attempt more than 10 unsuccessful login. I have store these values in database. what is the best approach to do so please help. I have tried maintaining count but I am unsuccessful.
Can you share all the relevant code that maintains the count? Can you share any errors?
A static variable will not work in a web application. Every user has access to the same variable. One one user gets to 10 attempts all users are blocked.
Store the value in a table in the User account table.
I have store Count value in database but, Problem is
var res = db.APITables.FirstOrDefault(model => model.Username == tb.Username && model.Password == tb.Password && model.HostIP==ip);
In above line I am just checking username,password,hostIp is correct or not in my database. If user supplied wrong username and password it directly return null ,Count get executed only if supplied username and password incorrect that mean count database
field variable never rich to wrong user, where I store Count and how to check Count please help.
I have store Count value in database but, Problem is
var res = db.APITables.FirstOrDefault(model => model.Username == tb.Username && model.Password == tb.Password && model.HostIP==ip);
In above line I am just checking username,password,hostIp is correct or not in my database. If user supplied wrong username and password it directly return null ,Count get executed only if supplied username and password incorrect that mean count database
field variable never rich to wrong user, where I store Count and how to check Count please help.
Use a cookie to save the unsuccessful login attempts when the username is not found.
Keep in mind that the IP is not reliable and can be used by a group of users. Restricting by IP is a firewall function not a web site.
Keep in mind that the IP is not reliable and can be used by a group of users. Restricting by IP is a firewall function not a web site.
I want to also check ip from host(client) url and match it to the database store ip. If ip of host is not match with store ip in database i don't allow that host to access resource: Is this not a good idea.I am beginner I am learning I have no proper idea
please help and give me proper idea.using username and password is enough or I have to check Ip also.
Member
10 Points
22 Posts
Blocking access resource after 10 unsuccessful login attempts by the user.
Apr 06, 2020 04:33 PM|jameslovemicrosoft|LINK
I am a new guy in asp.net. This is my first question in this site.I want to block accessing the resource after 10 unsuccessful login attempts. I want to add limitation to that user that when user wrong attempt for 10 times, I need to list that user in block list. All operation should be done using database in ado.net entity data model.
Participant
1317 Points
426 Posts
Re: Blocking access resource after 10 unsuccessful login attempts by the user.
Apr 06, 2020 06:20 PM|Pratap09|LINK
Here is similar thread if you are using membership database, you can see this:
https://forums.asp.net/t/1841771.aspx?Block+user+for+15+minutes+after+5+login+attempts
If you are using ASP.NET Core, Refer below link:
http://www.dotnet-tutorials.net/Article/lockout-user-after-failed-login-attempts-in-asp-net-identity
Member
10 Points
22 Posts
Re: Blocking access resource after 10 unsuccessful login attempts by the user.
Apr 06, 2020 10:17 PM|jameslovemicrosoft|LINK
First of all Thank you for your reply, I am not using membership database,also I want to do it in asp.net web api not in .net core. I am just sending json request to server like:
{ "FromDate":"2020-04-04", "ToDate":"2020-04-04", "Username":"ram", "Password":"ram123", "RequestId":"12" }I want to add incoming ip to block list, if it attempt more than 10 unsuccessful login. I have store these values in database. what is the best approach to do so please help. I have tried maintaining count but I am unsuccessful. </div>
All-Star
47471 Points
20838 Posts
Re: Blocking access resource after 10 unsuccessful login attempts by the user.
Apr 06, 2020 10:36 PM|mgebhard|LINK
Can you share all the relevant code that maintains the count? Can you share any errors?
Member
10 Points
22 Posts
Re: Blocking access resource after 10 unsuccessful login attempts by the user.
Apr 07, 2020 05:54 AM|jameslovemicrosoft|LINK
o ya somehow I managed to write the code is this the right approach :
Count.counter++;
var ress = _db.APITables.Find(tb.Id);
if (Count.counter == 3)
{
bool BlockStatus = true;
if (ress!=null)
{
ress.BlockStatus = BlockStatus;
_db.SaveChanges();
}
}
else if (Count.counter == 3 || ress.BlockStatus==true)
{
return Request.CreateErrorResponse(HttpStatusCode.Forbidden, "Sorry you are blocked");
}
Here, Count.counter is the static variable
All-Star
47471 Points
20838 Posts
Re: Blocking access resource after 10 unsuccessful login attempts by the user.
Apr 07, 2020 10:46 AM|mgebhard|LINK
A static variable will not work in a web application. Every user has access to the same variable. One one user gets to 10 attempts all users are blocked.
Store the value in a table in the User account table.
Member
10 Points
22 Posts
Re: Blocking access resource after 10 unsuccessful login attempts by the user.
Apr 08, 2020 01:39 PM|jameslovemicrosoft|LINK
I have store Count value in database but, Problem is
var res = db.APITables.FirstOrDefault(model => model.Username == tb.Username && model.Password == tb.Password && model.HostIP==ip);
In above line I am just checking username,password,hostIp is correct or not in my database. If user supplied wrong username and password it directly return null ,Count get executed only if supplied username and password incorrect that mean count database field variable never rich to wrong user, where I store Count and how to check Count please help.
All-Star
47471 Points
20838 Posts
Re: Blocking access resource after 10 unsuccessful login attempts by the user.
Apr 08, 2020 01:47 PM|mgebhard|LINK
Use a cookie to save the unsuccessful login attempts when the username is not found.
Keep in mind that the IP is not reliable and can be used by a group of users. Restricting by IP is a firewall function not a web site.
Member
10 Points
22 Posts
Re: Blocking access resource after 10 unsuccessful login attempts by the user.
Apr 08, 2020 02:48 PM|jameslovemicrosoft|LINK
I want to also check ip from host(client) url and match it to the database store ip. If ip of host is not match with store ip in database i don't allow that host to access resource: Is this not a good idea.I am beginner I am learning I have no proper idea please help and give me proper idea.using username and password is enough or I have to check Ip also.
I have found this code to find Ip of host:
public string GetClientIp(HttpRequestMessage request = null) { request = request ?? Request; if (request.Properties.ContainsKey("MS_HttpContext")) { return ((HttpContextWrapper)request.Properties["MS_HttpContext"]).Request.UserHostAddress; } else if (request.Properties.ContainsKey(RemoteEndpointMessageProperty.Name)) { RemoteEndpointMessageProperty prop = (RemoteEndpointMessageProperty)request.Properties[RemoteEndpointMessageProperty.Name]; return prop.Address; } else if (HttpContext.Current != null) { return HttpContext.Current.Request.UserHostAddress; } else { return null; } }