I'm developing a website in ASP.NET where users can register and login. I want to block users for 10 mins , after they introduce the wrong password for 3 times.Is there any other solution excepting the MembershipProvider ? I tried to implement it, but it failed.
After I introduce in web.config, the code below, what else should I do ? Thanks.
<membership
defaultProvider="MyMembershipProvider">
<providers>
<clear/>
<add name="MyMembershipProvider"
type="MyMembershipProvider"
autogenerateschema="true"
connectionStringName="MyConnectionString"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="false"
requiresUniqueEmail="false"
passwordFormat="Hashed"
maxInvalidPasswordAttempts="3"
minRequiredPasswordLength="8"
minRequiredNonalphanumericCharacters="1"
passwordAttemptWindow="5"
passwordStrengthRegularExpression=""
applicationName="/" />
</providers>
</membership>
Check the following example for ASP.net 2.0 Membership provider, it implements a way to unlock users automatically
http://www.wrox.com/WileyCDA/Section/Implementing-Automatic-Unlocking-in-ASP-NET-2-0-SqlMembershipProvider.id-292262.html
Related
I'm trying to implement membership with oracle. I have created the database perfectly, but I can not access from my App. The database is on a dadicated server, and the error that its shows me is "OracleConnection.ConnectionString is invalid" but I know that is correct.
I have used this connection with ADO.NET and I works perfectly.
Can I use a remote server to implement membership? because this is the only explinantion that I could find...
This is my connectionstring.
Thanks in advance!
I found the solution in this post:
Setting up the default AspNetSqlProvider to point to remote database
So my web.config looks like:
<connectionStrings>
<add name="ApplicationServices" connectionString="DATA SOURCE=(DESCRIPTION= (ADDRESS=(PROTOCOL=TCP)(HOST=EUBEWD92Z1.jnj.com)(PORT=1521))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=XE))); user id=user; password=pass;" providerName="Oracle.DataAccess.Client"/>
</connectionStrings>
<membership>
<providers>
<remove name="OracleMembershipProvider"/>
<add name="OracleMembershipProvider"
type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ApplicationServices"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="true"
applicationName="/"
requiresUniqueEmail="false"
passwordFormat="Hashed"
maxInvalidPasswordAttempts="5"
minRequiredPasswordLength="7"
minRequiredNonalphanumericCharacters="1"
passwordAttemptWindow="10"
passwordStrengthRegularExpression=""/>
</providers>
</membership>
I've created an asp.net page (not MVC) using the out-of-box template that is created by VS 2010, which includes login controls, using forms authentication. The page provides data review and editing for users in our offices around the Southwest. I am able to access simple enough information from the login database such as names, roles, and email addresses.
The development site and the production site are both on my development computer, if that makes sense. Our actual production site is still under construction, but users are accessing the site through my computer set up as an asp.net server.
At any rate, what I need to do is to create an administrative feature that allows me or other admin users to make changes to the membership data, such as updating email addresses or deleting users.
Using the Membership class, I am able to access the membership data on the development site, but when I deploy it to the (temp) production site it still shows the user data on the development site.
It's clear that the site on the production server is working fine for our users -- i.e. they are able to create their user accounts and to actually log in; but the membership class does not show any of the actual users, only my faux users in the development space.
My web.config file contains these lines:
<connectionStrings>
<add name="ApplicationServices" connectionString="data source=.\SQLEXPRESS;Integrated Security=SSPI;AttachDBFilename=|DataDirectory|\aspnetdb.mdf;User Instance=true" providerName="System.Data.SqlClient" />
<add name="ConnectionString" connectionString="Data Source=MAINSERVER\SQLEXPRESS;Initial Catalog=XYZ;Integrated Security=True" providerName="System.Data.SqlClient" />
</connectionStrings>
Which seems like it ought to point to the aspnetdb.mdf file in the operating folder.
I've added a gridview just to get familiar with how this all words, and the VB codebehind includes the following lines:
GridView1.DataSource = Membership.GetAllUsers
GridView1.DataBind()
Which works great except it only shows the users in the development site.
I clearly do not understand the login/membership structure.
Can anyone shed some light on this for me?
EDIT: per request from Win----
From the Debug folder:
<membership>
<providers>
<clear/>
<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="ApplicationServices" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/"/>
</providers>
</membership>
<roleManager enabled="true">
<providers>
<clear/>
<add connectionStringName="ApplicationServices" applicationName="/" name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider"/>
<add applicationName="/" name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider"/>
</providers>
</roleManager>
from the production folder:
<membership>
<providers>
<clear/>
<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="ApplicationServices" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/"/>
</providers>
</membership>
<roleManager enabled="true">
<providers>
<clear/>
<add connectionStringName="ApplicationServices" applicationName="/" name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider"/>
<add applicationName="/" name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider"/>
</providers>
</roleManager>
Near as I can tell, they're identical, and nothing there gives me a clue how to fix it. I hope you can spot it! Thanks!
I have this membership provider, and I'm using the "website administration tool" launched from Visual Studio->PROJECT->ASP.NET Configuration.
<membership>
<providers>
<add connectionStringName="DefaultConnection" enablePasswordRetrieval="false"
enablePasswordReset="true" requiresQuestionAndAnswer="false"
requiresUniqueEmail="true"
maxInvalidPasswordAttempts="5"
minRequiredPasswordLength="6"
minRequiredNonalphanumericCharacters="0"
passwordAttemptWindow="10"
applicationName="/" name="DefaultMembershipProvider" type="System.Web.Providers.DefaultMembershipProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</providers>
</membership>
Changing these minRequiredPasswordLength="6", minRequiredNonalphanumericCharacters="0" has no effect so I suspect it's not using that provider.
Adding <clear/> before the add only makes it worse and proves it's getting it elsewhere.
<membership>
<providers>
<clear/>
<add....
This leads to this message on the page http://localhost:58144/asp.netwebadminfiles/security/security0.aspx:
The following message may help in diagnosing the problem: Default Membership Provider could not be found.
So how can I tell it to use that provider, or how can I configure the provider to what it expects?
I must give it a default provider here:
<membership defaultProvider="DefaultMembershipProvider">
i have application that uses asp.net membership. Unfortunately users password are stored using PasswordFormat clear. I want to change password to hashed format without asking user to setting theirs again. Another restriction is that UserId in Membership table can't be changed. Does anyone have any idea how to do it ?
In your web.config go to
<membership defaultProvider="MyMembershipProvider">
<providers>
<clear/>
<add name="MyMembershipProvider"
type="MyProviders.SqlMembershipProvider"
connectionStringName="MyConnectionString"
maxInvalidPasswordAttempts="5"
passwordAttemptWindow="10"
minRequiredNonalphanumericCharacters="0"
minRequiredPasswordLength="4"
passwordStrengthRegularExpression=""
passwordFormat="Hashed"
enablePasswordReset="true"
enablePasswordRetrieval="false"
requiresQuestionAndAnswer="false"
requiresUniqueEmail="true" />
</providers>
</membership>
And there's a "key generator" snippet in this MSDN article, run it twice and shove them in your web.config as:
<system.web>
<machineKey
validationKey="<blah>"
decryptionKey="<blah>"
validation="SHA1"
decryption="AES"
/>
</system.web>
You can encrypt the passwords by configuring the membership provider setting & keys in web.config
<membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="15">
<providers>
<add
name="SqlProvider"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="SqlServices"
enablePasswordRetrieval="true"
enablePasswordReset="true"
requiresQuestionAndAnswer="true"
passwordFormat="Hashed"
minRequiredPasswordLength="1"
minRequiredNonalphanumericCharacters="0"
passwordStrengthRegularExpression="^([1-zA-Z0-1#.\s]{1,255})$"
applicationName="NitinJS" />
</providers>
</membership>
I am using the default SQLMembershipProvider in my ASP.NET 2.0 website, and expect the Membership.ValidateUser to lock-out the user after entering a number of wrong passwords (5, in my case) but ValidateUser doesn't seem to be caring about keeping count of bad password attempts and locking out the user.
What's wrong?
The Membership configuration in my web.config:
<membership defaultProvider="SqlMembershipProvider" >
<providers>
<clear />
<add connectionStringName="ConnectionStringName" enablePasswordRetrieval="true"
enablePasswordReset="true" requiresQuestionAndAnswer="false"
requiresUniqueEmail="true" passwordFormat="Encrypted" maxInvalidPasswordAttempts="5"
minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0"
passwordAttemptWindow="10" passwordStrengthRegularExpression=""
applicationName="MyApp" name="SqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</membership>
what is the PasswordAttemptWindow and MaxInvalidPasswordAttempts set to? and is these configuration settings set in the correct web.config? (the one actual in use by the test environment)
Here's the config for my membership usage which is working as required if it's of any use:
<membership defaultProvider="AspNetSqlMembershipProvider" userIsOnlineTimeWindow="30">
<providers>
<remove name="AspNetSqlMembershipProvider" />
<!--
Membership defaults mainly below this point:
connString, reqQ&A - modified - all others currently default.
-->
<add connectionStringName="CustomSqlServerProvider"
name="AspNetSqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="false"
requiresUniqueEmail="false"
passwordFormat="Hashed"
maxInvalidPasswordAttempts="5"
minRequiredPasswordLength="7"
minRequiredNonalphanumericCharacters="1"
passwordAttemptWindow="10"
passwordStrengthRegularExpression=""
applicationName="/" />
</providers>
</membership>
Also, have you tried using the .Login() method for the authentication process instead? That's what i'm using rather than validateuser().
Please set the user.[IsApproved] to true