ASP.NET Web Pages – Login

[ This is an 8 part tutorial, previous tutorial Account Confirmation]

In the login page add the following:

var rememberMe = false;
if (IsPost)
var UserName = Request["UserName"];
var Password = Request["Password"];  
rememberMe = Request["rememberMe"].AsBool();
Validation.RequireFields("UserName", "Password");
Validator.StringLength(16, 6)
Validator.Regex(@"\w+([-+.']\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*", "Your username should be an email address")
  var returnurl = Request["returnurl"];
    if (returnurl.IsEmpty())
        returnurl = Href("~/members/default");

Similar to the registration page, you have your variables which request the values of HTML elements. The rememberMe is Boolean and is used to remember the user for a longer period of time. By default, ASP.NET login sessions expire at the end of the session (when the browser is closed). We have our validation along with user name validation, ensuring that the username is a valid email address and the password is 6 characters long. (This is what was set in the registration page so it should be applied here as well.)

The returnurl is a different component. At times a user might access a restricted area and by default ASP.NET will redirect them to account/login along with a query sting called returnurl. This is used to redirect the user back to where they were previously. In our case, if the returnurl is empty we simply redirect them to the members’ area page after login.

if (Validation.IsValid())
if (WebSecurity.UserExists(UserName) && WebSecurity.GetPasswordFailuresSinceLastSuccess(UserName) >= 4 && WebSecurity.GetLastPasswordFailureDate(UserName).AddMinutes(2) > DateTime.UtcNow)
    if (WebSecurity.IsConfirmed(UserName))
    if (WebSecurity.Login(UserName, Password, rememberMe))
    } else {
        Validation.AddFormError("Incorrect username or password");
 }else {
    Validation.AddFormError("User does not exist or account is not confirmed");

If the data is valid we begin the login process. The first thing we do is ensure that the user has not made more than 4 login attempt failures. If they have, their account is locked out for 2 minutes. This is done by retrieving their last password failures and checking how many failures have occurred. If it’s equal to 4 we add 2 minutes to their password failure date, and then if their password failure date is greater than the current UTC date we redirect them. It must be UTC.

Next we check to make sure the account is confirmed before logging the user in. We then log the user in. The login method takes 3 arguments: username, password and persist cookie. The persist cookie will remember the computer for a longer period of time. Once the user is logged in we redirect them to the value of the variable returnurl.


<form method="post">
<input type="text" name="UserName"/>
<input type="password" name="password"/>
<label>Remember Me?</label>
<input type="checkbox" name="rememberMe" value="true" checked="@rememberMe"/>
<input type="submit"/>

[ Continue, Forgot Password Page ]