Home/ Questions/Q 6969517
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T16:35:28+00:00

I have a forms login in my web site using ASP.NET MVC with C#.

  • 0

I have a forms login in my web site using ASP.NET MVC with C#. All of the user profiles are stored in a Customer table that has the following columns:

  • ID
  • First_Name
  • username
  • password
  • ActiveWebLog

with ActiveWebLog = 0 meaning the user has not yet activated their account, and ActiveWebLog = 1 meaning the user can login.

This is my Login action in my Controller :

    public ActionResult LogOnCustomer()
    {
        return View();
    }

    [HttpPost]
    public ActionResult LogOnCustomer(LogOnModel model, string returnUrl)
    {

        if (ModelState.IsValid)
        {

            if (MembershipService.ValidateCustomer(model.UserName, model.Password))
            {

                this.AuthCustomer = MembershipService.AuthCustomer;

                FormsService.SignIn(model.UserName, model.RememberMe);

                if (!String.IsNullOrEmpty(returnUrl))
                {
                    return Redirect(returnUrl);
                }
                else
                {
                    return RedirectToAction("RedirectPage", "Account");
                }

            }
            else
            {
                ModelState.AddModelError("", "The user name or password provided is incorrect.");
            }

        }

        // If we got this far, something failed, redisplay form
        return View(model);

    }

What I want is to set ActiveWebLog = -2 when the user inputs an incorrect username or password 5 times.

Does anyone know how to do that?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    • Add a LoginAttemptCount column to your table.

    • Check user credentials against the database.

    • If no user name, fail. It may be advisable to not tell the user that the username does not exist, because that supports grinding attempts to locate user names.

    • If the user name matches but the LoginAttemptCount => 5 (or any number), fail.

    • If the user name matches but the password is bad, increment LoginAttemptCount and fail.

    • If the user name and password are good (hopefully you are using a hashed password) and LoginAttemptCount < 5, reset LoginAttemptCount to zero.

    If you use this methodology, you technically don’t need to modify the ActiveWebLog column when the user exceeds the bad password limit (but you certainly could).

    I would put the business rules for this inside a separate class library. Your controller will probably have the basic logic to invoke this class library and modify your view based on the resulting status codes.

    • 0