I've been working my way through the book and one of the things that I've noticed is that when an account becomes "locked out" after exceeding the number of default login attempts - since it's not specified I think the default value of 5 attempts is used - the login and password controls don't respond any differently to a login attempt after the account is locked out than they do when the account is still open. In both cases, for a wrong password, the control displays:

Your login attempt was not successful. Please try again.

However, in the case of a locked out account, even typing in the correct password displays the same message:

>>Your login attempt was not successful. Please try again.

From a usability standpoint, I'd think that you'd need to tell your users to contact an admin to have their account unlocked or wait before trying again.

According to MS, the default time, if not specified, is 10 minutes.

Unfortunately, this brought up another problem - in the database that was shipped to me, the time was updated incorrectly. Instead of showing a time of 3/26/2006 9:46 PM, the LastLockedOut date shows as 3/27/2006 3:45:23 AM. I think this means that the user’s account would automatically be eligible for unlocking not 10 minutes later, but 5 hours and 59 minutes later. Ouch!

How should this be handled? And where? Is this something that needs to be overriden in the provider or is this a page level event?

Thanks,

Joe.

protected void Login1_LoginError(object sender, EventArgs e)
{
MembershipUser membershipUser = Membership.GetUser(Login1.UserName);
if (membershipUser != null && membershipUser.IsLockedOut)
{
Login1.FailureText = "Your account has been locked out because of a maximum number of incorrect login attemps.";
}
}