问题
I would like to ask how do I block a user after a specified failed attempts. After 30 minutes or whatever time, the user will be able to log in again.. Here's my sample code for log in.
public partial class Login : System.Web.UI.Page
{
SimplerAES AES = new SimplerAES();
protected void Page_Load(object sender, EventArgs e)
{
Session.Clear();
}
protected void btnLogIn_Click(object sender, EventArgs e)
{
if (txtUsername.Text == "" || txtPassword.Text == "")
{
lblMessage.Visible = true;
txtUsername.Text = "";
txtPassword.Text = "";
lblMessage.Text = "Invalid Username/Password";
}
else
{
SqlConnection con = new SqlConnection(SeiboLMS.Helper.GetConnectionString());
con.Open();
SqlCommand com = new SqlCommand();
com.Connection = con;
com.CommandType = CommandType.Text;
com.CommandText = "SELECT * FROM Users WHERE UserName=@UserName";
com.Parameters.Add("@UserName", SqlDbType.NVarChar);
com.Parameters[0].Value = txtUsername.Text;
SqlDataReader data = com.ExecuteReader();
if (data != null)
{
while (data.Read())
{
if (txtPassword.Text == AES.Decrypt(data["Password"].ToString()))
{
if (data["UserTypeID"].ToString() == "1")
{
Session["userid"] = data["UserID"].ToString();
Session["usertypeid"] = data["UserTypeID"].ToString();
Session["username"] = data["UserName"].ToString();
Session["password"] = data["Password"].ToString();
Helper.Logs(int.Parse(data["UserID"].ToString()), 1, "Log In Successful");
Response.Redirect("Admin/Default.aspx");
}
else
{
Session["userid"] = data["UserID"].ToString();
Session["usertypeid"] = data["UserTypeID"].ToString();
Session["username"] = data["UserName"].ToString();
Session["password"] = data["Password"].ToString();
Helper.Logs(int.Parse(data["UserID"].ToString()), 1, "Log In Successful");
Response.Redirect("Employees/Default.aspx");
}
}
else
{
lblMessage.Text = "Invalid Username/Password.";
txtUsername.Text = "";
txtPassword.Text = "";
}
}
}
else
{
lblMessage.Text = "Invalid Username/Password.";
txtUsername.Text = "";
txtPassword.Text = "";
}
data.Close();
con.Close();
con.Dispose();
}
}
}
Please share with me what ideas do you have there. Thank you in advance..
回答1:
This question has been answered many times.
Search for c# login with failed attempts
This particular question is very similar. Login - Allow only 3 attempts
The top voted answer by Willem has the following text:
use a MembershipProvider and in your web.config, in system.web you can configure number of attempts and timeouts. Set maxInvalidPasswordAttempts="3" and passwordAttemptWindow="5" for your requirements.
I suggest that if you find this helpful, you go vote up Willems answer.
回答2:
You can use the MembershipProvider or depending on your database structure, create your own. Lots of ways to accomplish this, but one way is to include login_attempt, lockflag and timestamp columns. I'm guessing you have the login_attempt counter and are incrementing this (and resetting it to zero when successful) Then at login you check the values and if the user is locked check the timestamp to see when and if enough time has lapsed for the account to be unlocked.
回答3:
Well, what you could do is the following:
1) Add in your users table, a field (DateTime) indicating the time that he/she was blocked by exceeds the maximum login attempts. 2) Add a key in the web.config (AppSettings, perhaps) that indicate how long users that had access blocked must wait until they can try again. 3) When trying to authenticate the user, check if the lock field (DateTime) is null, if it is the user performs the login normally. Otherwise compare the current time with the time it is in this field from the table, if greater than the appsettings value, prevents the user to login.
Hope I helped!
来源:https://stackoverflow.com/questions/12055564/how-to-block-a-user-after-a-specified-failed-attempts-and-unblocking-the-user-af