ASP.NET 2.0 Membership: ValidateUser not locking out the user? - asp.net

I am using the default SQLMembershipProvider in my ASP.NET 2.0 website, and expect the Membership.ValidateUser to lock-out the user after entering a number of wrong passwords (5, in my case) but ValidateUser doesn't seem to be caring about keeping count of bad password attempts and locking out the user.
What's wrong?
The Membership configuration in my web.config:
<membership defaultProvider="SqlMembershipProvider" >
<providers>
<clear />
<add connectionStringName="ConnectionStringName" enablePasswordRetrieval="true"
enablePasswordReset="true" requiresQuestionAndAnswer="false"
requiresUniqueEmail="true" passwordFormat="Encrypted" maxInvalidPasswordAttempts="5"
minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0"
passwordAttemptWindow="10" passwordStrengthRegularExpression=""
applicationName="MyApp" name="SqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</membership>

what is the PasswordAttemptWindow and MaxInvalidPasswordAttempts set to? and is these configuration settings set in the correct web.config? (the one actual in use by the test environment)

Here's the config for my membership usage which is working as required if it's of any use:
<membership defaultProvider="AspNetSqlMembershipProvider" userIsOnlineTimeWindow="30">
<providers>
<remove name="AspNetSqlMembershipProvider" />
<!--
Membership defaults mainly below this point:
connString, reqQ&A - modified - all others currently default.
-->
<add connectionStringName="CustomSqlServerProvider"
name="AspNetSqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="false"
requiresUniqueEmail="false"
passwordFormat="Hashed"
maxInvalidPasswordAttempts="5"
minRequiredPasswordLength="7"
minRequiredNonalphanumericCharacters="1"
passwordAttemptWindow="10"
passwordStrengthRegularExpression=""
applicationName="/" />
</providers>
</membership>
Also, have you tried using the .Login() method for the authentication process instead? That's what i'm using rather than validateuser().

Please set the user.[IsApproved] to true

Related

set config file for custom role and membership provider causes an error

I want to use custom membership and role provider in MVC4 .
So i added some code to my config file as you can see here:
<membership defaultProvider="AspNetSqlMembershipProvider">
<providers> <clear />
<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="authentication" />
</providers>
</membership>
<roleManager enabled="true" defaultProvider="CustomRoleProvider">
<providers>
<clear/>
<add name="CustomRoleProvider"
connectionStringName="authentication"
enablePasswordRetrieval="false" enablePasswordReset="true"
requiresQuestionAndAnswer="false" writeExceptionsToEventLog="false" />
</providers>
</roleManager>
But when i go to ** Web Site Administration Too** for adding role i got this error:
The following message may help in diagnosing the problem: Sections must only appear once per config file. See the help topic for exceptions. (C:\Users\ehsan\Desktop\EducationModel\EducationMVC\web.config line 46)
You have multiple membership providers defined separately:
Removing one of them should get rid of that error. But if you need to have both providers then update as follows:
<membership defaultProvider="MembershipProvider2">
<providers>
<add name="MembershipProvider1" type="WebMatrix.WebData.SimpleMembershipProvider, WebMatrix.WebData" />
<add name="MembershipProvider2" type="System.Web.Providers.DefaultMembershipProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/" />
</providers>
</membership>
Here MembershipProvider2 is set as defaultProvider just for example. You would update this with whichever providers you need to use as default.

Membership provider error mvc web.config

I am getting membership error in my application.
This is my web.config section that is creating error.
<membership defaultProvider="DefaultMembershipProvider">
<providers>
<add name="DefaultMembershipProvider" type="System.Web.Providers.DefaultMembershipProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/" />
</providers>
</membership>
Like all other same questions like this one I have read, are telling me about adding defaultProvider and name to this config file.
But I already have defaultProvider and name set to by default in there.
What other customization needs to be done?
You can see this error here-
http://funranger.com
I suspect there is already a membership provider registered before your configuration file is loaded.
You'll need to remove the first membership provider, and this can be done by clearing all providers before you add one, just as you are doing with your connectionstrings.
In the configuration section, inside the membership/providers section, add a element before the element(s).
<membership>
<providers>
<clear/>
<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="WorkI" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/"/>
</providers>
</membership>
And also add the below line in your web.config file.
<connectionStrings><add name="DefaultConnection" connectionString="Data Source=YourServername;Initial Catalog=YourDBname;Integrated Security=True;MultipleActiveResultSets=True" providerName="System.Data.SqlClient" /></connectionStrings>
Here is how your membership provider's declaration should look like in the web.config under the system.web element
<membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="15">
<providers>
<clear />
<add
name="SqlProvider"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="MySqlConnection"
applicationName="MyApplication"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="true"
requiresUniqueEmail="true"
passwordFormat="Hashed" />
</providers>
</membership>

Multiple Applications and one aspnetdb, problems with Profile

We are running several applications on the same aspnetdb.
They are all using the same MembershipProvider. Sometimes we are getting "weird values" for Profile properties. It seems that the application is using data from a different application.
We already use different ApplicationName parameters.
Is there a way to clearly separate the applications without using distinct databases for the profiles?
This post is useful for what you need
http://weblogs.asp.net/scottgu/archive/2006/04/22/Always-set-the-_2200_applicationName_2200_-property-when-configuring-ASP.NET-2.0-Membership-and-other-Providers.aspx
<membership>
<providers>
<clear/>
<add name="AspNetSqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="LocalSqlServer"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="true"
requiresUniqueEmail="false"
passwordFormat="Hashed"
maxInvalidPasswordAttempts="5"
minRequiredPasswordLength="7"
minRequiredNonalphanumericCharacters="1"
passwordAttemptWindow="10"
passwordStrengthRegularExpression=""
applicationName="/"
/>
</providers>
</membership>
Add the same connectionstring for each application, and set different names in applicationName attribute

Asp.net membership password format

i have application that uses asp.net membership. Unfortunately users password are stored using PasswordFormat clear. I want to change password to hashed format without asking user to setting theirs again. Another restriction is that UserId in Membership table can't be changed. Does anyone have any idea how to do it ?
In your web.config go to
<membership defaultProvider="MyMembershipProvider">
<providers>
<clear/>
<add name="MyMembershipProvider"
type="MyProviders.SqlMembershipProvider"
connectionStringName="MyConnectionString"
maxInvalidPasswordAttempts="5"
passwordAttemptWindow="10"
minRequiredNonalphanumericCharacters="0"
minRequiredPasswordLength="4"
passwordStrengthRegularExpression=""
passwordFormat="Hashed"
enablePasswordReset="true"
enablePasswordRetrieval="false"
requiresQuestionAndAnswer="false"
requiresUniqueEmail="true" />
</providers>
</membership>
And there's a "key generator" snippet in this MSDN article, run it twice and shove them in your web.config as:
<system.web>
<machineKey
validationKey="<blah>"
decryptionKey="<blah>"
validation="SHA1"
decryption="AES"
/>
</system.web>
You can encrypt the passwords by configuring the membership provider setting & keys in web.config
<membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="15">
<providers>
<add
name="SqlProvider"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="SqlServices"
enablePasswordRetrieval="true"
enablePasswordReset="true"
requiresQuestionAndAnswer="true"
passwordFormat="Hashed"
minRequiredPasswordLength="1"
minRequiredNonalphanumericCharacters="0"
passwordStrengthRegularExpression="^([1-zA-Z0-1#.\s]{1,255})$"
applicationName="NitinJS" />
</providers>
</membership>

Remove security question from Forms Based Authentication

I'm building a small website which will have FBA enabled (SqlMembershipProvider) and I want signup to be as simple as possible, just a prompt for username (email address) and password.
How do I remove the security question from the create user control?
My bad, I jumped the gun on that one.
It looks like the control will sense if the underlying provider required a question and answer. So, have you tried disabling it in the web.config?
<add
name="AspNetSqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider, ..."
connectionStringName="LocalSqlServer"
enablePasswordRetrieval="false"
enablePasswordReset="true"
**requiresQuestionAndAnswer="false"**
applicationName="/"
requiresUniqueEmail="false"
passwordFormat="Hashed"
maxInvalidPasswordAttempts="5"
minRequiredPasswordLength="7"
minRequiredNonalphanumericCharacters="1"
passwordAttemptWindow="10"
passwordStrengthRegularExpression=""
/>
Wrong answer below:
Set the QuestionAndAnswerRequired property to false.
Set requiresQuestionAndAnswer="false" in your web.config
i.e.:
<membership defaultProvider="MySqlMembershipProvider">
<providers>
<clear/>
<add name="MySqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="LocalSQL"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="false"
requiresUniqueEmail="false"
passwordFormat="Hashed"
maxInvalidPasswordAttempts="15"
minRequiredPasswordLength="5"
minRequiredNonalphanumericCharacters="0"
passwordAttemptWindow="10"
passwordStrengthRegularExpression=""
applicationName="/"/>
</providers>
</membership>

Resources