Lock a User/MembershipProvider/Login control

[ulrich schumacher]

Hi experts,

i wrote a custom MembershipProvider and when i come to implement the method
"UnlockUser" i wonder that there is no method "LockUser".
The member "IsLockedOut" of a MembershipUser is readony.
So, how do I lock a user?

I extend my custom provider class with a Method "LockUser". Is that the
right way?

Second question:

Does the Login control locks a User automatically, if the members
"MaxInvalidPasswordAttempts" and "PasswordAttemptWindow" are set or do i have
to code this manually in the eventhandlers of this control?

Thanks in advance,
ulrich

 

[Brock Allen]

This is a gray area in provider design. The intent of IsLockedOut is to prevent
an attacker from guessing passwords. To that end, it's up to the provider
internally to determine when this is happening and to lock the user out.
So their semantics and use for IsLockedOut is very specific, thus they intended
for each specific membership provider to "figure it out". Since there is
no LockUser API it seems that they didn't intend for it to be used as a general
"suspension" mechanism for users.

 

[ulrich schumacher]

Thanks Brock,
so there is no direct support of this feature in the Login control.

I dont know why I always have to walk through those gray areas when
implementing standard requirements ;-)

ulrich

 

[Brock Allen]

Well, there is a DisableCreatedUser property on the CreateUserWizard -- don't
know if this helps.