Recently I’ve come across a intriguing question in asp.net forum. One member from Canada asked that his membership.validateuser() method is not working. Actually, what happened, according to him :
Long ago I implemented the Login control on a login page and I thought all was working. Testing has revealed that if you first enter an incorrect password but then next enter the correct password, the Login control fails to log the user in until they enter the correct password a second time. This is unacceptable.
So I began investigating what is wrong and quickly discovered that Membership.ValidateUser(username, password) is failing to return true even though I’m entering the correct credentials. I’ve done much research and discovered that plenty of other developers have experienced the same problem. As of yet, I have not found a solution to my particular problem so I thought I should try seeing if I could get an answer here.
In web.config here is the pertinent info related to Memberships:
If anyone could tell me why they think that Membership.ValidateUser() is consistently failing to work, I’d much appreciate it!
Now I found that, PasswordAttemptWindow is missing in his web.config file. So my answer was :
It probably happened because you’ve not set the PasswordAttemptWindow to some exact time. That is why, I gave you a code to test, in my code it is set to 10.
If you kindly go through what MSDN says about it, you’ll understand why it is locked out no matter what value you’ve set for MaxInvalidPasswordAttempts.
“The MaxInvalidPasswordAttempts property works in conjunction with the PasswordAttemptWindow property to guard against an unwanted source using repeated attempts to guess the password or password answer of a membership user. If the number of invalid passwords or password answers entered for a membership user is greater than or equal to the value of the MaxInvalidPasswordAttempts property within the number of minutes specified by the PasswordAttemptWindow property, then the user is locked out of the Web site by setting the IsLockedOut property to true until the user is unlocked by a call to the UnlockUser method. If a valid password or password answer is supplied before the value of the MaxInvalidPasswordAttempts property is reached, the counter that tracks the number of invalid attempts is set to zero. Invalid password and password answer attempts are tracked separately. For example, if the MaxInvalidPasswordAttempts property is set to 5, the user has up to five attempts to enter a correct password and up to five attempts to enter a correct password answer without being locked out. The MaxInvalidPasswordAttempts property value is set in the application configuration using the passwordAttemptThreshold attribute of the membership Element (ASP.NET Settings Schema) configuration element. ”
Best of luck.
I would like to share it for many reasons, mostly because, people often get stuck in creating Membership API in ASP.NET forgetting that there are many small, subtle but very important aspects that to be considered.