asp.net mvc 3 reset password by admin and force user to change it

Question

I'm using asp.net Membership, I develop an admin page who can regenerate a temp password to send to the user, then when the user log on for first time, the password must be changed, but I cant figure out who to know if the password was reseted.

I tried something like in a base controller:

if (user.LastPasswordChangedDate >= user.LastLoginDate)
{
    filterContext.Result = RedirectToAction("ChangePassword", "Account");
}

But, I already have updated the LastLoginDate because the ChangePassword Action need to be with a autenticated user.

I was thinking when reseting the password to lock/unlock the user to get updated the "LastLockoutDate" and do:

if (user.LastPasswordChangedDate >= user.LastLockoutDate)
{
    filterContext.Result = RedirectToAction("ChangePassword", "Account");
}

But, I can't find a method to do manual lockout

Thanks!!!

Answer 1

There's a lot of things you could do, some would depend on how your system works. For instance, you could store a specific piece of data in the Comment field, if you're not using comments.

Or, if you don't use the "Approved" bit (that is, when you create new users you do not require them to validate an email or something, but instead create them with IsApproved set to true) then you can set IsApproved to False and force a password change if it's false.

There is no method to access much of this data in the Membership API, you just have to access it from you database.

You could also store this in the Personalization provider.

Another option is to simply avoid storing this in the Membership database, and instead just add a table or a field in your apps data to deal with this.