Prevent cancelling Password change process in MVC 3 Web Application

Question

Here is my problem. My app has login page, password reset page and profile page. Password reset page and profile pages cannot access without authentication.

I have use [Authorize] for profile action and password reset action.

In my app I expire user password after 30 days. So when user logged in and if password is expired I redirect user to change the password page. Since user is already authenticated user can go to Profile page typing the url (Ex: www.mywebsite.com/Profile/View). This is a loophole.

I don't want user to cancel the password change process. I want to force user to change password.

How can I achieve this?

Answer 1

Have another boolean flag column in your user/passowrd table to indicate whether user resetted his password after it is expired. So every time when you expire the password, set this column value of that record to false and when user really changes his password as per your process, set the value to true. Now you can check this column value when user tries to access the View action method (or any other action methods/controllers). You may write this check as a custom action filter and apply it on the action methods/ controllers as needed.

You may also use the PasswordLastUpdated datetime column also instead of the above mentioned boolean flag. In that case, you need to check whether that value(PasswordLastUpdated) is before or after the datetime which is recorded against the expiration process.(DateExpired column value)

Example of creating custom action filter is available here.