Lmctruck30
New Member
I ahve implemented brute force protection via limitation of failed login counts as here: http://madskristensen.net/post/Brute-force-protect-your-website.aspxBut i'm encountering two issues:
- After certain amount of time ( in my case 2 minutes) record in cache is not expired and i'm unable to log in again. This means that when function checks the number of failed attempts, it still gets maximum allowed after this 5 minutes
- cache from MSDN as I understood is single storage for application. From what i see in my application, it seems like cache is per application per IP. Why?Any suggestions? Here's my code:\[code\]int CountOfFailedLoginAttempts(){ if(Cache["L1|"+TextBox1.Text]==null) { return 0; } return (int) Cache["L1|" + TextBox1.Text];}void AddFailedAttempt(){ if(Cache["L1|"+TextBox1.Text]==null) { Cache.Insert("L1|"+TextBox1.Text,1,null,System.Web.Caching.Cache.NoAbsoluteExpiration,new TimeSpan(0,2,0)); } else { int tries = (int) Cache["L1|" + TextBox1.Text]; Cache["L1|" + TextBox1.Text] = tries + 1; }}void ClearFailedAttemptCounter(){ Cache.Remove("L1|" + TextBox1.Text);}protected void Button1_Click(object sender, EventArgs e){ if (CountOfFailedLoginAttempts() >= 5) { Label1.Text = "Login will be unavailable for 2 minutes"; } else { SqlConnection con = new SqlConnection("valid connection string"); SqlCommand cmd = new SqlCommand("Select top 1 password from users WHERE UserName=@UN", con); cmd.CommandTimeout = 600; cmd.Parameters.Add(new SqlParameter("UN", TextBox1.Text)); con.Open(); string res = (string) cmd.ExecuteScalar(); con.Close(); if (res == TextBox2.Text) { FormsAuthentication.RedirectFromLoginPage(TextBox1.Text, true); ClearFailedAttemptCounter(); } else { Label1.Text = "Wrong password. "+(5-CountOfFailedLoginAttempts()).ToString()+"more attempts and access will be suspended for 2 minutes."; AddFailedAttempt(); } }}\[/code\]}