How to Lockout a User Account in ASP.NET Identity

Back to: ASP.NET MVC Tutorial For Beginners and Professionals

How to Lockout a User Account in ASP.NET Identity

In this article, I am going to discuss How to Lockout a User Account in ASP.NET Identity. Please read our previous article discussing How to Logout a User in ASP.NET Identity.

How to Lockout a User Account in ASP.NET Identity?

In order to lockout a user account in ASP.NET Identity, we need to use two user properties: the LockoutEnabled property and the LockoutEndDateUtc property.

LockoutEnabled Property: The LockoutEnabled property in ASP.NET Identity indicates that the lockout is enabled for a user. If we set this property value to true, it does not mean that the user is locked out; it only means that the user could be locked out.
LockoutEndDateUtc: The LockoutEndDateUtc property in ASP.NET Identity indicates when the lockout ends, and be careful.

So, by using these the above properties together, we can lock out a user for a specific amount of time. For example, if we want to lock out a user for 10 minutes, we need to use the following code.

user.LockoutEnabled = true;

user.LockoutEndDateUtc = DateTimeOffset.Now.AddMinutes(10);

In the above code, we enable the lockout for the user by setting the LockoutEnabled property to true. After that, we add 10 minutes to the current datetime by using the AddMinutes method, and we set the result value to the LockoutEndDateUtc property. This will result in locking the user out for 10 minutes.

Instead of using LockoutEnabled and LockoutEndDateUtc Properties, we can also use the SetLockoutEnabled and SetLockoutEndDate methods to modify the values of these properties by passing the id of the user to lockout as a parameter. The UserManager calls these methods, and they return an IdentityResult object as follows.

var result = UserManager.SetLockoutEnabled(userId, true);

var result = UserManager.SetLockoutEndDate(userId, DateTimeOffset.Now.AddMinutes(10));

In order to lockout a user for a lifetime or at least until unlocking it again, set the LockoutEndDateUtc property to DateTimeOffset.MaxValue.

user.LockoutEnabled = true;
user.LockoutEndDateUtc = DateTimeOffset.MaxValue;
// OR
var result = UserManager.SetLockoutEnabled(userId, true);
var result = UserManager.SetLockoutEndDate(userId, DateTimeOffset.MaxValue);

If you open the IdentityConfig.cs class file, then you will see the following default code for lockout, which is for 5 minutes after 5 failed access.

Note: If you want, then you can also change this default behavior.

Unlocking a User in ASP.NET Identity:

In order to unlock a locked-out user, you have to set the value of the LockoutEnabled property to false as follows.
user.LockoutEnabled = false;
// OR
var result = UserManager.SetLockoutEnabled(userId, false);

Namespaces

In order to get the UserManager, and use the SetLockoutEnabled and the SetLockoutEndDate methods, you have to include the following namespaces:
using Microsoft.AspNet.Identity;
using Microsoft.AspNet.Identity.Owin;

Lockout a User Account After Several Failed Login Attempts in ASP.NET Identity

In order to lockout a user account in ASP.NET Identity after several failed login attempts, we need to use the shouldLockout property.

shouldLockout: The shouldLockout property indicates that the user account should be locked if the sign-in operation fails.

All you have to do is to set the shouldLockout property to true in the SignIn method:

var result = SignInManager.PasswordSignIn(model.Email, model.Password, model.RememberMe, shouldLockout: true);

This enables login failures to trigger account lockout. By default, ASP.NET Identity is programmed to lock out a user for 5 minutes after 5 failed login attempts. To change this default behavior, go to App_Start > IdentityConfig.cs and change the default configuration depending on your requirements.

// Configure user lockout defaults
manager.UserLockoutEnabledByDefault = true;
manager.DefaultAccountLockoutTimeSpan = TimeSpan.FromMinutes(5); // lockout timespan
manager.MaxFailedAccessAttemptsBeforeLockout = 5; // number of failed login attempts before lockout

The number of current failed login attempts performed by a user is stored in the AccessFailedCount property.

Note: After reaching the value defined in the MaxFailedAccessAttemptsBeforeLockout property, the value of the AccessFailedCount property gets reset automatically to 0.

In the next article, I am going to discuss Authorization in ASP.NET Identity. Here, in this article, I try to explain How to Lockout a User Account in ASP.NET Identity. I hope you enjoy this How to Lockout a User Account in ASP.NET Identity article.

Dot Net Tutorials

About the Author: Pranaya Rout

Pranaya Rout has published more than 3,000 articles in his 11-year career. Pranaya Rout has very good experience with Microsoft Technologies, Including C#, VB, ASP.NET MVC, ASP.NET Web API, EF, EF Core, ADO.NET, LINQ, SQL Server, MYSQL, Oracle, ASP.NET Core, Cloud Computing, Microservices, Design Patterns and still learning new technologies.