Hi Hung,
This is now fixed in the source code repository. Note that this issue does not affect the 2.3.8.1 release, this is from a recent change in the repository.
Also my fix is not the same as yours because your suggested fix would have broken LDAP authentication where the user may be null but if we have successful LDAP authentication then we create the user. Returning false would have prevented LDAP auth for new users.
My fix is like this:
if ((siteUser != null) && (siteUser.IsLockedOut) && (WebConfigSettings.ReturnFalseInValidateUserIfAccountLocked))
{
return false;
}
Best,
Joe