reset user lockout by sending a reset account link using asp net identity 2.1

Question

I have an ASP MVC project in which I want to send an unlock account lockout link to the user's email after the user gets lockout.I use asp net identity 2.1 in my project. What i could possibly do is to lock the account for a period of 30 minutes using asp identity. After this time the account gets unlocked. I tried to send email to the user which contains a reset link. The link calls a method which has the following code.

[AllowAnonymous]
public async Task<ActionResult> UnlockAccount(string userId)
{
    await UserManager.ResetAccessFailedCountAsync(userId);
    return RedirectToAction("Login");
}

But after this still my account is locked for the time period of 30 minutes which i setup in IdentityConfig.cs. Is this possible in asp net identity.

It resets the no of attempts left for the user to login before lockout — Noxious Reptile, Oct 23 '15 at 06:29
But it doesn't unlock an account, so if an account is already locked, even a gazillion attempts left wouldnt unlock it — Marco, Oct 23 '15 at 06:33

score 30 · Answer 1 · answered Jan 20 '17 at 12:32

30

I know this is old but it's worth an answer as I've just been wondering the same myself...

The AccessFailedCount doesn't matter - the only thing locking the user out is the LockoutEndDateUtc. If the current UTC datetime is before the LockoutEndDateUtc then you won't be able to gain entry.

It's simple enough to reset though:

await UserManager.SetLockoutEndDateAsync(userId, new DateTimeOffset(DateTime.UtcNow));

You can set the DateTimeOffset to anything you want as long as it's before the current DateTimeUTC, in my example I use DateTime.UtcNow as it gives the added benefit of knowing when the account was unlocked.

When the user eventually logs in again the AccessFailedCount will be reset to 0, so you don't need to worry about resetting that.

answered Jan 20 '17 at 12:32

Percy

2,855
2
33
56

6

Or for Core 2.0: await _userManager.SetLockoutEndDateAsync(user, null); Where "user" is: ApplicationUser user = await _userManager.FindByIdAsync(id); – philw Feb 10 '18 at 16:31
1

still a good idea to clear the AccessFailedCount just in case the user typed a wrong password on the first try and got locked out again right after resetting password. – Steve Feb 21 '20 at 22:28
Why set lock out end date to today when null will work? If you set it to a date and show the lock out end date in your admin, it will have a date, and may be confusing. – Dave Apr 06 '22 at 21:41
@Dave I explained this in the answer - "it gives the added benefit of knowing when the account was unlocked" - I also stated that is can be set to anything you want - so it's purely there for info. – Percy Apr 22 '22 at 12:53

score 1 · Answer 2 · answered Feb 04 '21 at 10:09

I thought I'd add an answer based on two of the comments above, as combined they seem to provide the best solution to this. I have a form in which I show a reCAPTCHA once the user is locked out, and clear the lockout if they submit the correct password along with a valid reCAPTCHA. The method I use to do the reset is below:

private async Task ResetLockoutIfPasswordCorrect(string username, string password)
{
    var user = await _userManager.FindByNameAsync(username);
    if (await _userManager.CheckPasswordAsync(user, password))
    {
        await _userManager.ResetAccessFailedCountAsync(user);
        await _userManager.SetLockoutEndDateAsync(user, null);
    }
}

As I say, I do guard this method with reCAPTCHA.

reset user lockout by sending a reset account link using asp net identity 2.1

2 Answers2