We are excited to announce that the ASP.NET Forums are moving to the new Microsoft Q&A experience. Learn more >
Blocking access resource after 10 unsuccessful login attempts by the user.[Answered]
8 replies
Last post Apr 08, 2020 02:48 PM by jameslovemicrosoft
Member
11 Points
24 Posts
Blocking access resource after 10 unsuccessful login attempts by the user.
Apr 06, 2020 04:33 PM|jameslovemicrosoft|LINK
I am a new guy in asp.net. This is my first question in this site.I want to block accessing the resource after 10 unsuccessful login attempts. I want to add limitation to that user that when user wrong attempt for 10 times, I need to list that user in block list. All operation should be done using database in ado.net entity data model.
Participant
1317 Points
426 Posts
Re: Blocking access resource after 10 unsuccessful login attempts by the user.
Apr 06, 2020 06:20 PM|Pratap09|LINK
Here is similar thread if you are using membership database, you can see this:
https://forums.asp.net/t/1841771.aspx?Block+user+for+15+minutes+after+5+login+attempts
If you are using ASP.NET Core, Refer below link:
http://www.dotnet-tutorials.net/Article/lockout-user-after-failed-login-attempts-in-asp-net-identity
Member
11 Points
24 Posts
Re: Blocking access resource after 10 unsuccessful login attempts by the user.
Apr 06, 2020 10:17 PM|jameslovemicrosoft|LINK
First of all Thank you for your reply, I am not using membership database,also I want to do it in asp.net web api not in .net core. I am just sending json request to server like:
{ "FromDate":"2020-04-04", "ToDate":"2020-04-04", "Username":"ram", "Password":"ram123", "RequestId":"12" }I want to add incoming ip to block list, if it attempt more than 10 unsuccessful login. I have store these values in database. what is the best approach to do so please help. I have tried maintaining count but I am unsuccessful. </div>
All-Star
53711 Points
24042 Posts
Re: Blocking access resource after 10 unsuccessful login attempts by the user.
Apr 06, 2020 10:36 PM|mgebhard|LINK
Can you share all the relevant code that maintains the count? Can you share any errors?
Member
11 Points
24 Posts
Re: Blocking access resource after 10 unsuccessful login attempts by the user.
Apr 07, 2020 05:54 AM|jameslovemicrosoft|LINK
o ya somehow I managed to write the code is this the right approach :
Count.counter++;
var ress = _db.APITables.Find(tb.Id);
if (Count.counter == 3)
{
bool BlockStatus = true;
if (ress!=null)
{
ress.BlockStatus = BlockStatus;
_db.SaveChanges();
}
}
else if (Count.counter == 3 || ress.BlockStatus==true)
{
return Request.CreateErrorResponse(HttpStatusCode.Forbidden, "Sorry you are blocked");
}
Here, Count.counter is the static variable
All-Star
53711 Points
24042 Posts
Re: Blocking access resource after 10 unsuccessful login attempts by the user.
Apr 07, 2020 10:46 AM|mgebhard|LINK
A static variable will not work in a web application. Every user has access to the same variable. One one user gets to 10 attempts all users are blocked.
Store the value in a table in the User account table.
Member
11 Points
24 Posts
Re: Blocking access resource after 10 unsuccessful login attempts by the user.
Apr 08, 2020 01:39 PM|jameslovemicrosoft|LINK
I have store Count value in database but, Problem is
var res = db.APITables.FirstOrDefault(model => model.Username == tb.Username && model.Password == tb.Password && model.HostIP==ip);
In above line I am just checking username,password,hostIp is correct or not in my database. If user supplied wrong username and password it directly return null ,Count get executed only if supplied username and password incorrect that mean count database field variable never rich to wrong user, where I store Count and how to check Count please help.
All-Star
53711 Points
24042 Posts
Re: Blocking access resource after 10 unsuccessful login attempts by the user.
Apr 08, 2020 01:47 PM|mgebhard|LINK
Use a cookie to save the unsuccessful login attempts when the username is not found.
Keep in mind that the IP is not reliable and can be used by a group of users. Restricting by IP is a firewall function not a web site.
Member
11 Points
24 Posts
Re: Blocking access resource after 10 unsuccessful login attempts by the user.
Apr 08, 2020 02:48 PM|jameslovemicrosoft|LINK
I want to also check ip from host(client) url and match it to the database store ip. If ip of host is not match with store ip in database i don't allow that host to access resource: Is this not a good idea.I am beginner I am learning I have no proper idea please help and give me proper idea.using username and password is enough or I have to check Ip also.
I have found this code to find Ip of host:
public string GetClientIp(HttpRequestMessage request = null) { request = request ?? Request; if (request.Properties.ContainsKey("MS_HttpContext")) { return ((HttpContextWrapper)request.Properties["MS_HttpContext"]).Request.UserHostAddress; } else if (request.Properties.ContainsKey(RemoteEndpointMessageProperty.Name)) { RemoteEndpointMessageProperty prop = (RemoteEndpointMessageProperty)request.Properties[RemoteEndpointMessageProperty.Name]; return prop.Address; } else if (HttpContext.Current != null) { return HttpContext.Current.Request.UserHostAddress; } else { return null; } }