Forms Authentication Security Lockout

mumfie · April 29, 2019, 8:54am

Hi Radzen Team,
I have a couple of questions perhaps you could advise on.

Question 1
When using standard forms based security is it possible to implement account Lockout policy. E.G if a user enters an incorrect password 3 times the account is automatically locked for a period of time.
I added the following code to Startup.Custom.cs and added a New user but it does not work as expected. After several repeated failed attempts the sql table AspNetUsers AccessFailedCount is still 0 (although LockoutEnabled=1).
Core 2.2
https://www.radzen.com/documentation/custom-security-password-policy/

services.Configure<IdentityOptions>(options =>
{
options.Lockout.MaxFailedAccessAttempts =3;
//lockout for 1 hour
options.Lockout.DefaultLockoutTimeSpan= new TimeSpan(0, 1, 0, 0, 0);
 });

Question 2
TokenProviderOptions.cs creates a SymmetricSecurityKey using a predefined key as a parameter. Should this key be customized to increase security? If so how to customise as this file is automatically generated.

Thanks

korchev · April 29, 2019, 10:19am

Hi @mumfie,

Indeed Security Lockout won't work at the moment as it requires some extra code to be invoked.

You can prevent Radzen from overwriting a file during code generation via the ignore list. You can add TokenProviderOptions.cs and change it per your needs.

mumfie · April 29, 2019, 10:27am

Thanks @korchev,
The lockout is important . Is this something you plan to implement or is it something we need to implement ourselves?

korchev · April 29, 2019, 1:04pm

I logged this as a feature request. You can probably implement it now by following the documentation. You will have to add the AutoController.cs file to the ignore list and use singnInManager.CheckPasswordSignInAsync instead of userManager.CheckPasswordAsync

mumfie · April 29, 2019, 2:01pm

Thanks @korchev
We will look into implementing it when time permits.