I’m using the SqlMembershipProvider and have a problem where aspnet_Membership_UpdateUserInfo is being called twice for a single failed logon. This means that a user will be locked out after only two attempts, not the 3 that I have configured.

Unfortunately I can’t simply bump the login attempts count to a higher number as the problem only seems to be happening for IE users. Firefox and Chrome don’t exibit the same problem.

The config I’m using is:

<membership defaultProvider="AcademyWebProvider" userIsOnlineTimeWindow="3">
    <providers>
        <remove name="AspNetSqlMembershipProvider" />
        <add minRequiredNonalphanumericCharacters="0" 
            minRequiredPasswordLength="3" 
            maxInvalidPasswordAttempts="3" 
            passwordAttemptWindow="15" 
            applicationName="AcademyPro" 
            connectionStringName="SqlServer" 
            enablePasswordReset="true" 
            requiresQuestionAndAnswer="false"
            name="AcademyWebProvider" 
            type="System.Web.Security.SqlMembershipProvider" />
    </providers>
</membership>

UPDATE
Digging around a bit more and looking at the fiddler traces IE7 (IE7 proper, not IE 8 computability mode) and IE8 submit the form twice. I also added onsubmit="alert('Ping!');" to the form tag, the alert box shows twice, so what ever the problem is it’s in javascript.