Thursday, February 7, 2008

Custom Security MembershipProvider & Login attempts (MaxInvalidPasswordAttempts)

The Problem : Have a limit on the amount of possible logins when using a Custom provider.

Let's say that you write your own MembershipProvider (quite common if you want to use your own object model ..)

   11   public class MyMemberShipProvider : System.Web.Security.MembershipProvider
   12     {

Like many other articles explain, the most important Method is ValidateUser.
What very people often "forget"to mention is that all other features are not present in your provider. For example, the MaxInvalidPasswordAttempts is a property that you can set it to any number but nothing is going to happen.

In a Nutshell : you need to implement it yourself.

What I am showning below is a quite simple version but it's proves the point.

  180     public override System.Boolean ValidateUser(System.String pUsername, System.String pPassword)
  181         {
  182             if (pUsername.Equals("demo") && pPassword.Equals("demo"))
  183             {
  184                 return LoginSuccess();
  185             }
  186             return LoginFailed();
  187 
  188         }

LoginFailed() will basically return false but also it would do the check if another attempt should be granted or not:

  211     private bool LoginFailed()
  212         {
  213             //WebFailureAuditEvent.Raise(WebEventCodes.AuditFormsAuthenticationFailure);
  214             LoginFailuresCount++;
  215             if (LoginFailuresCount >= this.MaxInvalidPasswordAttempts)
  216                 throw new Exception("OK, that's it. Bye Bye");
  217 
  218             return false;
  219 
  220         }



You need to keep track of how many login failures :

  197  protected int LoginFailuresCount
  198         {
  199             get
  200             {
  201                 if (HttpContext.Current.Session["Failures"] == null)
  202                     return 0;
  203                 return (int)HttpContext.Current.Session["Failures"];
  204             }
  205             set
  206             {
  207                 HttpContext.Current.Session["Failures"] = value;
  208             }
  209         }


In the commented line where I was trying to Raise the "WebFailureAuditEvent", I read somewhere that I was a good idea to raise it but could not find any reference or example. If anybody knows how to do it --> please let me know.

Note: An improvement to this model would be to support "PasswordAttemptWindow" which in this case I did not implement.

Note: New Browser == new Session so it's not really state-of-the-art security technique it's a basic

17 comments:

Anonymous said...

Hi,

I was looking for a post about MembershipProviders and noticed your question about the WebFailureAuditEvent. This is part of the built-in Health Monitoring events. Raise this event like this:

WebFailureAuditEvent MyEvent = new WebFailureAuditEvent(string message, object eventSource, int eventCode);

MyEvent.Raise();

More about Health Monitoring: http://msdn2.microsoft.com/en-us/library/ms998306.aspx

Sebastian Talamoni said...

Thanks for the Tip!

Anonymous said...

I will not concur on it. I over precise post. Particularly the title attracted me to read the intact story.

Anonymous said...

Nice post and this mail helped me alot in my college assignement. Thanks you on your information.

Anonymous said...

[u][b]Xrumer[/b][/u]

[b]Xrumer SEO Professionals

As Xrumer experts, we possess been using [url=http://www.xrumer-seo.com]Xrumer[/url] for a sustained fix for the time being and know how to harness the massive power of Xrumer and go off it into a Cash machine.

We also provide the cheapest prices on the market. Numberless competitors devise order 2x or even 3x and a end of the opportunity 5x what we pervade you. But we feel in providing enormous help at a low affordable rate. The unbroken direct attention to of purchasing Xrumer blasts is because it is a cheaper surrogate to buying Xrumer. So we plan to stifle that thought in cognizant and yield you with the cheapest censure possible.

Not solitary do we take the most successfully prices but our turnaround heyday for the treatment of your Xrumer posting is super fast. We intention have your posting done in the forefront you know it.

We also produce you with a sated log of loaded posts on different forums. So that you can notice for yourself the power of Xrumer and how we hold harnessed it to gain your site.[/b]


[b]Search Engine Optimization

Using Xrumer you can wish to realize thousands upon thousands of backlinks in behalf of your site. Scads of the forums that your Place you will be posted on get great PageRank. Having your tie-in on these sites can categorically mitigate strengthen up some top-grade rank recoil from links and really aid your Alexa Rating and Google PageRank rating owing to the roof.

This is making your site more and more popular. And with this inflate in celebrity as well as PageRank you can keep in view to witness your place in effect superiority gamy in those Search Mechanism Results.
Transport

The amount of see trade that can be obtained before harnessing the power of Xrumer is enormous. You are publishing your site to tens of thousands of forums. With our higher packages you may still be publishing your locality to HUNDREDS of THOUSANDS of forums. Create 1 collection on a in demand forum drive usually enter 1000 or so views, with say 100 of those people visiting your site. Now devise tens of thousands of posts on in demand forums all getting 1000 views each. Your freight will withdraw through the roof.

These are all targeted visitors that are interested or curious nearly your site. Envision how many sales or leads you can execute with this great gang of targeted visitors. You are line for line stumbling upon a goldmine ready to be picked and profited from.

Reminisce over, Traffic is Money.
[/b]

TRAVERSE B RECOVER YOUR CHEAPLY BURST TODAY:


http://www.xrumer-seo.com

Anonymous said...

Someone deleted a variety of links from uloz.to and megaupload servers.

From now, we will use www.tinyurlalternative.com as our default [url=http://www.tinyurlalternative.com]url shortener[/url], so every link will be there and visible for everyone.

You can choose from several great [url=http://kfc.ms]short url[/url] address like:

kfc.ms easysharelink.info jumpme.info megauploadlink.info megavideolink.info mygamelink.info myrapidsharelink.info mytorrentlink.info myurlshortener.com mywarezlink.info urlredirect.info urlshrinker.info weblinkshortener.com youtubelink.info and many others.

They have over 60 other available domains and the [url=http://myurlshortener.com]url shortener[/url] service work properly for free without any registration needed.

So we think it is good notion and propose you to use [url=http://urlredirect.info]url redirect[/url] service too!

Thank you.

Anonymous said...

Good evening

We do not agree with this year BRITs 2010 decision.

Please go to see our little web survey

http://micropoll.com/t/KDqOnZBCWt

Lady Gaga can not be better than Nina Hagen

Poll supported by BRIT awards 2010 sponsor femmestyle
[url=http://www.femmestyle.ch/earcorrection.html]ohrenkorrektur[/url]

Pet Shop Boys surprise lucky BRITs fan with a MasterCard Priceless Gig in their living room

Anonymous said...

You could easily be making money online in the underground world of [URL=http://www.www.blackhatmoneymaker.com]blackhat seo[/URL], You are far from alone if you have no clue about blackhat marketing. Blackhat marketing uses alternative or not-so-known ways to generate an income online.

Anonymous said...

It isn't hard at all to start making money online in the undercover world of [URL=http://www.www.blackhatmoneymaker.com]blackhat cpa methods[/URL], Don’t feel silly if you haven’t heard of it before. Blackhat marketing uses not-so-popular or misunderstood avenues to produce an income online.

Anonymous said...

zovirax cream online pharmacysubstitue drugs for zelnorm
[url=http://www.bebo.com/buyvicodinnow] buy vicodin [/url]

Anonymous said...

www.pornvideoonline.info

http://www.pornvideodownload.info/

http://www.pornvideotorrent.info

www.gaypornonline.info

www.teenpornonline.info

www.freepornvideosonline.info

http://www.bestpornvideo.info

[url=http://www.pornvideoonline.info]Porn video online[/url]
[url=http://www.pornvideodownload.info]Porn video download[/url]
[url=http://www.pornvideotorrent.info]Porn video torrent[/url]
[url=http://www.gaypornonline.info]Gay porn online[/url]
[url=http://www.teenpornonline.info]Teen porn online[/url]
[url=http://www.freepornvideosonline.info]Free porn videos online[/url]
[url=http://www.bestpornvideo.info]Best porn video[/url]

Anonymous said...

[B]NZBsRus.com[/B]
Escape Sluggish Downloads Use NZB Files You Can Instantly Find Movies, Console Games, MP3 Singles, Software and Download Them at Accelerated Speeds

[URL=http://www.nzbsrus.com][B]NZB Sites[/B][/URL]

Anonymous said...

Hello i am new here. I found this board very helpful & its helped me out loads. i should be able to help out and help other people like it has helped me.

Personally i enjoy [url=http://watch-family-guy-free.warlordz.co.uk]watch family guy online free[/url] to helps pass some of time.

Thanks all, See you about.

Anonymous said...

I am reading this article second time today, you have to be more careful with content leakers. If I will fount it again I will send you a link

Anonymous said...

link for [b]download software for windows[/b] is available at:

download software for windows
[url=http://www.downloadsoftwareforwindows]download software for windows[/url]

[url=http://www.downloadsoftwareforwindows/products/download-3gp-video-converter/productpage.php]download 3gp video converter[/url]

download youtube to mp3 converter

Anonymous said...

site for [b]buy software for windows[/b] are available here:

buy software for windows
[url=http://www.buysoftwareforwindows.com]buy software for windows[/url]

[url=http://www.buysoftwareforwindows.com/products/buy-youtube-buyer/productpage.php]buy youtube buyer[/url]

buy dvd to iphone converter

Anonymous said...

link for [b]download software for windows[/b] is available here:

download software for windows
[url=http://www.downloadsoftwareforwindows.com]download software for windows[/url]

[url=http://www.downloadsoftwareforwindows.com/products/download-calculator/productpage.php]download calculator[/url]

download tetris