Forms Authentication Security Lockout

Hi Radzen Team,
I have a couple of questions perhaps you could advise on.

Question 1
When using standard forms based security is it possible to implement account Lockout policy. E.G if a user enters an incorrect password 3 times the account is automatically locked for a period of time.
I added the following code to Startup.Custom.cs and added a New user but it does not work as expected. After several repeated failed attempts the sql table AspNetUsers AccessFailedCount is still 0 (although LockoutEnabled=1).
Core 2.2

services.Configure<IdentityOptions>(options =>
options.Lockout.MaxFailedAccessAttempts =3;
//lockout for 1 hour
options.Lockout.DefaultLockoutTimeSpan= new TimeSpan(0, 1, 0, 0, 0);

Question 2
TokenProviderOptions.cs creates a SymmetricSecurityKey using a predefined key as a parameter. Should this key be customized to increase security? If so how to customise as this file is automatically generated.


Hi @mumfie,

Indeed Security Lockout won't work at the moment as it requires some extra code to be invoked.

You can prevent Radzen from overwriting a file during code generation via the ignore list. You can add TokenProviderOptions.cs and change it per your needs.

Thanks @korchev,
The lockout is important . Is this something you plan to implement or is it something we need to implement ourselves?

I logged this as a feature request. You can probably implement it now by following the documentation. You will have to add the AutoController.cs file to the ignore list and use singnInManager.CheckPasswordSignInAsync instead of userManager.CheckPasswordAsync

Thanks @korchev
We will look into implementing it when time permits.