Reputation: 5428
FormsAuthentication still works across sessions after changing password
I'm using vanilla forms authentication. If I have multiple sessions open as the same user, and I change the password in one session, the other session still authenticates.
I would expect that the second session would prompt me for my credentials again.
Would I have to write the hashed password to the cookie and check that on each request to obtain this functionality?
Seems like a security hole to me.
Upvotes: 2
Views: 298
Answers (2)
Reputation: 1982
as mentioned in my comment you need to force this action yourself if that is the behavior you want. this could be as simple as deriving all secure pages from your own "SecureBasePage". in that secure page you can poll your database to see if the password has changed since the user was authorized
Upvotes: 0
Reputation: 4282
This is expected behavior. FormsAuthentication stores the user information only (with some other data to validate that the server in fact produced that cookie). The cookie itself is the valid credential (or ticket or claim). If you are concerned about this you should reduce the time the forms cookie is valid for or potentially phone home even more often to ask the server if a password change has occured and if so execute the FormsAuthentication.SignOut() action to force a re-login.
Maybe not what you want FormsAuthentication to do, but what it does.
Hope this helps.
Upvotes: 2
Related Questions
- ASP.Net Session Not Invalidated After Logout
- ASP.NET FormsAuthentication: have to log in again when restarting application
- Forms auth: User has been changed during session
- Forms Authentication Session Valid After Logout
- asp.net forms authentication logged out when logged into another instance
- Forms Authentication is persisted between browser sessions
- Both old and new password work after the user changes it
- Forms Authentication Problem loses current user
- FormsAuthentication Behaving odd
- Forms Authentication cookie seems to stop working