I’m on v13.8.1 and suddenly when the members get locked out due to too many wrong password attempts, they are not unlocked anymore when they reset the password.
I’m sure this worked in the past, but I canno’t find the reason why this changed.
The password of the member changes, but IsLocked does not go to false. So even if the member successfully changed the pasword and login with new password, they get an error that they are locked.
I tried to set lastLockoutDate to the past and then IsLocked is set to false when you reset the password.
The code used to reset the password:
var result = await memberManager.ResetPasswordAsync(identityMember, model.Token, model.Password);
Should I change the Member Default Lockout Time In Minutes?
EDIT:
Changed "MemberDefaultLockoutTimeInMinutes": 1, but the user doesn’t get unlocked if I reset the password after 1 minute after locking the account.
I also did some debugging and found out that in Microsoft.AspNetCore.Identity.UserManager there is a method IsLockedOutAsync that compares lockoutTime with UtcNow:
var lockoutTime = await store.GetLockoutEndDateAsync(user, CancellationToken).ConfigureAwait(false);
return lockoutTime >= DateTimeOffset.UtcNow;
The problem is that it seems to compare local time and Utc time and does not take timezone into account.