SqlMembershipProvider.PasswordAttemptWindow Property

 

Gets the time window between which consecutive failed attempts to provide a valid password or password answers are tracked.

Namespace:   System.Web.Security
Assembly:  System.Web (in System.Web.dll)

public override int PasswordAttemptWindow { get; }

Property Value

Type: System.Int32

The time window, in minutes, during which consecutive failed attempts to provide a valid password or password answers are tracked. The default is 10 minutes. If the interval between the current failed attempt and the last failed attempt is greater than the PasswordAttemptWindow property setting, each failed attempt is treated as if it were the first failed attempt.

The PasswordAttemptWindow property works in conjunction with the MaxInvalidPasswordAttempts property to help guard against an unwanted source guessing the password or the password answer of a membership user through repeated attempts. When users are attempting to log in, change their password, or reset their password, only a certain number of consecutive attempts are allowed within a specified time window. The length of the time window is specified by the PasswordAttemptWindow property, which identifies the number of minutes allowed between invalid attempts. If the number of consecutive failed attempts that a user makes to reset his or her password equals the value stored in the MaxInvalidPasswordAttempts property, and the time elapsed since the last invalid attempt is less than the number of minutes specified for the PasswordAttemptWindow property, then the membership user is locked out by setting the IsLockedOut property to true. The user can be unlocked by calling the UnlockUser method. If the interval between the current failed attempt and the last failed attempt is greater than the PasswordAttemptWindow property setting, the current invalid attempt is counted as the first. If a valid password answer is supplied before the maximum number of allowed invalid attempts is reached, the count of invalid password-answer attempts is set to zero. If a valid password is supplied before the maximum number of allowed invalid attempts is reached, the count of invalid password attempts and the count of invalid password-answer attempts are set to zero.

The SqlMembershipProvider keeps count of invalid password attempts and invalid password-answer attempts separately. Invalid password attempts result in only the password-attempt counter being incremented. Invalid password-answer attempts result in only the password-answer counter being incremented.

The PasswordAttemptWindow property value is set in the application configuration using the passwordAttemptWindow attribute of the configuration section.

If the RequiresQuestionAndAnswer property is set to false, invalid password-answer attempts are not tracked.

The following code example shows the element in the system.web section of the Web.config file for an ASP.NET application. It specifies that the application use an instance of the SqlMembershipProvider and sets the maxInvalidPasswordAttempts attribute to five invalid attempts and the passwordAttemptWindow to 30 minutes.

<membership defaultProvider="SqlProvider" 
  userIsOnlineTimeWindow="20">
    <providers>
      <add name="SqlProvider"
        type="System.Web.Security.SqlMembershipProvider"
        connectionStringName="SqlServices"
        requiresQuestionAndAnswer="true"
        maxInvalidPasswordAttempts="5"
        passwordAttemptWindow="30"
        applicationName="MyApplication" />
    </providers>
</membership>

.NET Framework
Available since 2.0
Return to top
Show: