Unsuccessful Login Attempts locks out all the accounts

Question

1.00/5 (1 vote)

See more:

I have a code behind the login form that checks the database to see if the username and password exists. If the username does not exist a message is displayed. If the username is correct and the password is wrong a message is displayed. The messages are not displaying when the wrong password is entered. Second, I have a code in place for unsuccessful attempts for login. When a username and password are unsuccessful the username account locks but when you try another username the message displays saying Account is locked. How do I reset the count on a different username?

C#

protected void Page_Load(object sender, EventArgs e)
    {
        TextBoxEA.Focus();

        if (!IsPostBack)
        {
            Session["counter"] = 0;     
        }
        else
        {
            Session["counter"] = Convert.ToInt32(Session["counter"]) + 1;

            using (SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["HotConnectionString"].ConnectionString))
            {
                con.Open();

                string cmdStr = "Select count(*) from Table22 where EmailAddress=@TextBoxEA";
                SqlCommand sqlCmd = new SqlCommand(cmdStr, con);
                sqlCmd.Parameters.Add("@TextBoxEA", TextBoxEA.Text);
                int userExists = (int)sqlCmd.ExecuteNonQuery();

                cmdStr = "Select count(*) from Table22 where EmailAddress = @TextBoxEA AND Password = @TextBoxPW";
                sqlCmd = new SqlCommand(cmdStr, con);
                sqlCmd.Parameters.Add("@TextBoxEA", TextBoxEA.Text);
                sqlCmd.Parameters.Add("@TextBoxPW", TextBoxPW.Text);
                int correctPassword = (int)sqlCmd.ExecuteNonQuery();

                

                string msg = "";
                if (userExists == 0)
                    msg = "alert('User Name Does Not Exist You Must Fill Out Registration First');";
                else if (correctPassword == 0)
                    msg = "alert('Invalid UserName / Password');";
                else if (Convert.ToInt32(Session["counter"]) >= 3)
                {
                    msg = "alert('The Account is Locked Please call the Administrator');";

                    cmdStr = "Update Table22 SET isLocked = 1 where EmailAddress = @TextBoxEA";
                    sqlCmd = new SqlCommand(cmdStr, con);
                    sqlCmd.Parameters.Add("@TextBoxEA", TextBoxEA.Text);
                    sqlCmd.ExecuteNonQuery();
                }
                if (msg.Length > 0)
                {
                    ScriptManager.RegisterStartupScript(this, this.GetType(), "script", msg, true);
                    TextBoxEA.Text = string.Empty;
                }
                con.Close();
            } 

        }
    }

Posted 29-May-14 7:42am

Computer Wiz99

Updated 30-May-14 4:29am

v2

Add a Solution

Comments

Abhishek Pant 30-May-14 10:52am

Temporarily disable login after failed attempts[^]

3 solutions

Solution 3

This is what I did to get the messages to pop back up and it works but the account lock will not. How can I fix this to keep everything going?

C#

if (!IsPostBack)
        {
            Session["counter"] = 0;     
        }
        else
        {
            Session["counter"] = Convert.ToInt32(Session["counter"]) + 1;

            using (SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["HotConnectionString"].ConnectionString))
            {
                con.Open();

                string cmdStr = "Select count(*) from Table22 where EmailAddress=@TextBoxEA";
                SqlCommand userExist = new SqlCommand(cmdStr, con);
                SqlCommand cmd = new SqlCommand("select EmailAddress from Table22", con);
                userExist.Parameters.Add("@TextBoxEA", TextBoxEA.Text);
                int temp = Convert.ToInt32(userExist.ExecuteScalar().ToString());

                cmdStr = "Select count(*) from Table22 where EmailAddress = @TextBoxEA AND Password = @TextBoxPW";
                userExist = new SqlCommand(cmdStr, con);
                userExist.Parameters.Add("@TextBoxEA", TextBoxEA.Text);
                userExist.Parameters.Add("@TextBoxPW", TextBoxPW.Text);
                int temp2 = Convert.ToInt32(userExist.ExecuteScalar().ToString());

                

                string msg = "";
                if (temp == 0)
                    msg = "alert('User Name Does Not Exist You Must Fill Out Registration First');";
                else if (temp == 1)
                    msg = "alert('Invalid UserName / Password');";
                else if (Convert.ToInt32(Session["counter"]) >= 3)
                {
                    msg = "alert('The Account is Locked Please call the Administrator');";

                    cmdStr = "Update Table22 SET isLocked = 3 where EmailAddress = @TextBoxEA";
                    userExist = new SqlCommand(cmdStr, con);
                    userExist.Parameters.Add("@TextBoxEA", TextBoxEA.Text);
                    userExist.ExecuteNonQuery();
                }
                if (msg.Length > 0)
                {
                    ScriptManager.RegisterStartupScript(this, this.GetType(), "script", msg, true);
                    TextBoxEA.Text = string.Empty;
                }
                con.Close();
            } 

        }
    }

Posted 30-May-14 5:53am

Computer Wiz99

Comments

CHill60 30-May-14 12:07pm

Change the line userExist.ExecuteNonQuery(); to read int temp1 = userExist.ExecuteNonQuery(); then put a break point on that line. Run your code. When execution stops step over the line and examine the contents of temp1 If it does not equal 1 (or greater) then the database was not updated - there may be a problem with your column isLocked ... is it of type INT for example. Even if that has worked you are not checking to see if the Account was previously locked. See other solutions and comments to your post above to find an alternative method.

Solution 1

Store the "username" they tried in the session as well as the count. Then check if it was the same. if it wasn't, reset the count.

But...you shouldn't.
If someone is trying to hack his way in, all he has to do is try three times, then try a different name three times, then back to the original, then the second, and so forth. Better to fail the way you are and refuse to let him try. And lock the actual account he is trying, and use a cookie to slow him down.

And please, don't do passwords like that! Well done on using parameterised queries, but...passwords stored as text is a major security risk. See here: Password Storage: How to do it.[^]

[edit]And one more thing: never report separate messages for bad username and bad password - use the same message so wannabes can't tell if they have a valid username.[/edit]

Posted 29-May-14 8:18am

OriginalGriff

Updated 29-May-14 8:19am

v2

Comments

Computer Wiz99 29-May-14 14:23pm

OriginalGriff, Thanks but how do I correct my problem? In code.

CHill60 30-May-14 10:40am

Basically OG is saying that you shouldn't fix the problem. If you close the browser/tab and re-enter the site then it will reset. Otherwise a hacker would just keep on trying until they get into your site and cause untold damage

Computer Wiz99 30-May-14 10:45am

Ok. I have that part but why doesn't any of my messages pop up when the incorrect username and password are entered? And the message for the username does not exist does not pop up also. How can I fix these?

CHill60 30-May-14 11:31am

Put a breakpoint on the line string msg = ""; and view your page. When execution stops examine the values of userExists and correctPassword

CHill60 30-May-14 11:44am

Posted a solution to that part

Computer Wiz99 30-May-14 11:53am

I have an updated solution and a question about it.

CHill60 30-May-14 10:38am

:laugh: The parameterised queries were courtesy of my solution to a previous post :-)

RDBurmon 30-May-14 11:28am

good solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CHill60 · Accepted Answer · 2014-05-30T05:43:00

To answer the second part of your question, the messages no longer appear because you have changed the

C#

int userExists = (int)sqlCmd.ExecuteScalar();

that I gave you in a previous post[^] to

C#

int userExists = (int)sqlCmd.ExecuteNonQuery();

ExecuteNonQuery[^] will return the number of rows affected for inserts/updates/deletes but for all other types of command (e.g. Select count(*)) it returns -1.
Thus

VB

if (userExists == 0)

is never true

Unsuccessful Login Attempts locks out all the accounts

3 solutions

Solution 3

Solution 2

Solution 1

Add your solution here

Preview 0

Existing Members

...or Join us