登录尝试失败会锁定所有帐户 [英] Unsuccessful Login Attempts locks out all the accounts
本文介绍了登录尝试失败会锁定所有帐户的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我在登录表单后面有一个代码,用于检查数据库以查看用户名和密码是否存在。如果用户名不存在,则会显示一条消息。如果用户名正确且密码错误,则会显示一条消息。输入错误密码时,不显示消息。其次,我有一个代码,用于登录尝试失败。如果用户名和密码不成功,则用户名帐户会锁定,但当您尝试其他用户名时,会显示一条消息,指出帐户已被锁定。如何在其他用户名上重置计数?
I have a code behind the login form that checks the database to see if the username and password exists. If the username does not exist a message is displayed. If the username is correct and the password is wrong a message is displayed. The messages are not displaying when the wrong password is entered. Second, I have a code in place for unsuccessful attempts for login. When a username and password are unsuccessful the username account locks but when you try another username the message displays saying Account is locked. How do I reset the count on a different username?
protected void Page_Load(object sender, EventArgs e)
{
TextBoxEA.Focus();
if (!IsPostBack)
{
Session["counter"] = 0;
}
else
{
Session["counter"] = Convert.ToInt32(Session["counter"]) + 1;
using (SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["HotConnectionString"].ConnectionString))
{
con.Open();
string cmdStr = "Select count(*) from Table22 where EmailAddress=@TextBoxEA";
SqlCommand sqlCmd = new SqlCommand(cmdStr, con);
sqlCmd.Parameters.Add("@TextBoxEA", TextBoxEA.Text);
int userExists = (int)sqlCmd.ExecuteNonQuery();
cmdStr = "Select count(*) from Table22 where EmailAddress = @TextBoxEA AND Password = @TextBoxPW";
sqlCmd = new SqlCommand(cmdStr, con);
sqlCmd.Parameters.Add("@TextBoxEA", TextBoxEA.Text);
sqlCmd.Parameters.Add("@TextBoxPW", TextBoxPW.Text);
int correctPassword = (int)sqlCmd.ExecuteNonQuery();
string msg = "";
if (userExists == 0)
msg = "alert('User Name Does Not Exist You Must Fill Out Registration First');";
else if (correctPassword == 0)
msg = "alert('Invalid UserName / Password');";
else if (Convert.ToInt32(Session["counter"]) >= 3)
{
msg = "alert('The Account is Locked Please call the Administrator');";
cmdStr = "Update Table22 SET isLocked = 1 where EmailAddress = @TextBoxEA";
sqlCmd = new SqlCommand(cmdStr, con);
sqlCmd.Parameters.Add("@TextBoxEA", TextBoxEA.Text);
sqlCmd.ExecuteNonQuery();
}
if (msg.Length > 0)
{
ScriptManager.RegisterStartupScript(this, this.GetType(), "script", msg, true);
TextBoxEA.Text = string.Empty;
}
con.Close();
}
}
}
推荐答案
回答你的第二部分问题,消息不再出现,因为您已更改
To answer the second part of your question, the messages no longer appear because you have changed the
int userExists = (int)sqlCmd.ExecuteScalar();int userExists = (int)sqlCmd.ExecuteNonQuery();
ExecuteNonQuery [ ^ ]将返回受插入/更新/删除影响的行数,但是对于所有其他类型的命令(例如选择计数(*))它返回-1。
因此
ExecuteNonQuery[^] will return the number of rows affected for inserts/updates/deletes but for all other types of command (e.g. Select count(*)) it returns -1.
Thus
if (userExists == 0)永远不会
存储用户名他们在会话中尝试了以及计数。然后检查它是否相同。如果不是,重置计数。
但是......你不应该。
如果有人试图破解他的他要做的就是尝试三次,然后尝试三次不同的名字,然后回到原来的,然后是第二次,依此类推。最好以你的方式失败并拒绝让他尝试。并锁定他正在尝试的实际帐户,并使用cookie来减慢他的速度。
请不要这样做密码!使用参数化查询做得很好,但是......作为文本存储的密码是一个主要的安全风险。请参阅此处:密码存储:如何操作。 [ ^ ]
还有一件事:永远不要为不良用户名和密码错误报告单独的消息 - 使用相同的消息,以便想知道他们是否拥有有效的用户名。[ / edit]
Store the "username" they tried in the session as well as the count. Then check if it was the same. if it wasn't, reset the count.
But...you shouldn't.
If someone is trying to hack his way in, all he has to do is try three times, then try a different name three times, then back to the original, then the second, and so forth. Better to fail the way you are and refuse to let him try. And lock the actual account he is trying, and use a cookie to slow him down.
And please, don't do passwords like that! Well done on using parameterised queries, but...passwords stored as text is a major security risk. See here: Password Storage: How to do it.[^]
[edit]And one more thing: never report separate messages for bad username and bad password - use the same message so wannabes can't tell if they have a valid username.[/edit]
我这样做是为了让邮件弹出备份并且它可以正常工作,但帐户锁不会。如何解决这个问题以保证一切顺利?
This is what I did to get the messages to pop back up and it works but the account lock will not. How can I fix this to keep everything going?
if (!IsPostBack)
{
Session["counter"] = 0;
}
else
{
Session["counter"] = Convert.ToInt32(Session["counter"]) + 1;
using (SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["HotConnectionString"].ConnectionString))
{
con.Open();
string cmdStr = "Select count(*) from Table22 where EmailAddress=@TextBoxEA";
SqlCommand userExist = new SqlCommand(cmdStr, con);
SqlCommand cmd = new SqlCommand("select EmailAddress from Table22", con);
userExist.Parameters.Add("@TextBoxEA", TextBoxEA.Text);
int temp = Convert.ToInt32(userExist.ExecuteScalar().ToString());
cmdStr = "Select count(*) from Table22 where EmailAddress = @TextBoxEA AND Password = @TextBoxPW";
userExist = new SqlCommand(cmdStr, con);
userExist.Parameters.Add("@TextBoxEA", TextBoxEA.Text);
userExist.Parameters.Add("@TextBoxPW", TextBoxPW.Text);
int temp2 = Convert.ToInt32(userExist.ExecuteScalar().ToString());
string msg = "";
if (temp == 0)
msg = "alert('User Name Does Not Exist You Must Fill Out Registration First');";
else if (temp == 1)
msg = "alert('Invalid UserName / Password');";
else if (Convert.ToInt32(Session["counter"]) >= 3)
{
msg = "alert('The Account is Locked Please call the Administrator');";
cmdStr = "Update Table22 SET isLocked = 3 where EmailAddress = @TextBoxEA";
userExist = new SqlCommand(cmdStr, con);
userExist.Parameters.Add("@TextBoxEA", TextBoxEA.Text);
userExist.ExecuteNonQuery();
}
if (msg.Length > 0)
{
ScriptManager.RegisterStartupScript(this, this.GetType(), "script", msg, true);
TextBoxEA.Text = string.Empty;
}
con.Close();
}
}
}
这篇关于登录尝试失败会锁定所有帐户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
