I am using the standard asp.net membership provider. I have users who
forget their password. They attempt to login 5 times and they get
locked out. The membership configuration in web.config follows.

<add connectionStringName="SomeDB" enablePasswordRetrieval="false"
enablePasswordReset="true" requiresQuestionAndAnswer="false"
applicationName="SomeApp" requiresUniqueEmail="true"
passwordFormat="Hashed" maxInvalidPasswordAttempts="5"
passwordAttemptWindow="10" passwordStrengthRegularExpression=""
minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0"
name="AspNetSqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider"/>

Once the user is locked out, the reset password doesn't work. I have
to unlock the user before it will send a new password. Is this the
correct operation of this feature? Do I have to manually unlock these
users before they can retrieve a new password?

Thanks.

Rob

On 3 Jan, 18:30, rmgala... (AT) galaware (DOT) com wrote:
Hi

The help files for the Membership class say this:

"If the number of invalid passwords or password answers entered for a
membership user is greater than or equal to the value of the
MaxInvalidPasswordAttempts property within the number of minutes
specified by the PasswordAttemptWindow property, then the user is
locked out of the Web site by setting the IsLockedOut property to true
until the user is unlocked by a call to the UnlockUser method.

If a valid password or password answer is supplied before the value of
the MaxInvalidPasswordAttempts property is reached, the counter that
tracks the number of invalid attempts is set to zero."

My interpretation of this is that a lock-out status cannot be undone
with a belated request for help by the user.

If I'm right then the only way round it is to create a custom process
for password retrieval that will execute the UnLockuser method once
the user has been verified as genuine (perhaps by e-mail).