Hello Abdhullah,
Please have a look at this
MSDN documentation[
^] which shows a custom implementation of
WebAuthenticationFailureAuditEvent
class. The MemberShip provider fires an
AuditMembershipAuthenticationFailure
Web event when user login fails. The
NameToAuthenticate
property returns the name of the user being authenticated. You can use it to fetch the user's record to read user's email and then send out and e-mail. Please remember that the
AuditMembershipAuthenticationFailure
event is raised when any one of the following condition is true and hence you will also have to check whether the user is locked out or not.
- Either the user name or password does not match
- User is not active
- User is locked out
Please note that the said event is raised every time there is a login failure. You can use IsLockedOut bit field of aspnet_Membership table to determine whether the user in question is locked out or not. This check itself won't be sufficient if you want to send the email only once. You need an additional check,
MSDN Membership Provider Doc#Account Locking:
How does an account become locked in the first place? Suppose the user types an incorrect password into the login page. After ascertaining that the password is invalid, CheckPassword calls the stored procedure aspnet_Membership_UpdateUserInfo to update the corresponding record in the aspnet_Membership table. It passes in a bit flag indicating an invalid password was submitted. Seeing the flag, the stored procedure increments the failed password attempt count. If the count exceeds the maximum specified by MaxInvalidPasswordAttempts, and if all the password failures occurred within the time window specified by PasswordAttemptWindow, the stored procedure sets IsLockedOut to 1, effectively locking the account until further notice. Thus, locking is handled primarily at the database level, and it is largely opaque to the provider itself.
The above doc suggests that you can check the difference between the
MaxInvalidPasswordAttempts
and
FailedPasswordAttemptCount
and if it's equal to 1 then it's the first time user is getting locked out.
Regards,