The custom ASP.NET membership provider I am using does not support the MaxInvalidPasswordAttempts and PasswordAttemptWindow settings. I am required to use this particular provider and my situation prevents me from extending it’s functionality.
That said, what is the best approach for “rolling your own” implementation of account locking? Some initial ideas include:
- If a user exceeds the maximum number of invalid login attempts, set their account’s “IsApproved” setting to FALSE.
- If a user exceeds the maximum number of invalid login attempts, set a Boolean value in their profile (i.e. “IsLocked”) to true.
Also, what is the recommended way to keep track of the number of invalid attempts while attaining the PasswordAttemptWindow functionality? Should I persist a counter in Session, Cache, DB, etc..?
You should persist on the database, like the regular provider does.
Here you can download the source for the default membership provider, this might give you some insight for what you need to accomplish.