Closed iishnz closed 3 years ago
Adding that this is also not working in 8.9.2.
I can reproduce, and my finding so far is that it is a caching issue.
Fixed in PR https://github.com/umbraco/Umbraco-CMS/pull/9921 and cherry picked for patch releases from 8.6 upwards.
Bug summary
A front-end member can enter an unlimited amount of incorrect password attempts without being locked out. The number of failed password attempts does not get recorded in the member property in the Backoffice. There is also an issue the the last login date in that it can revert to an older date but I think this is caused by the same bug.
Umbraco version
This is not working in 8.11.1 - it was previously working in 8.6.4
Reproduction
On a fresh install of Umbraco with built-in with the starter kit
Create the following partial views using the built-in snippets:
Edit the Home template and added the following somewhere near the top:
Create a member in the back-office to test with.
On the homepage, login with your test member using an invalid password
In the back-office, go to the members section and review the "Failed Password Attempts" property for your test member, it will probably say "1"
On the homepage, try and log in again with your test member using an invalid password, then check the back-office again, the "Failed Password Attempts" did not change.
By default a member should be locked out after 5 invalid attempts. Try logging in 20 times with and invalid password, then try with the correct password - The member is logged in.
Expected result
Failed login attempts should be record, A member should be locked after a certain amount of failed password attempts.
Actual result
The member was not locked out and the number of failed login attempts was not recorded.
_This item has been added to our backlog AB#10589_