CODEWITHSUNDEEP
asp.netauthenticationasp.net-membershipchange-password
Jai
Jai

Reputation: 231

ASP.NET membership password expiration

I am using ASP.NET membership for the authentication of my web app. This worked great for me. I now have to implement password expiration.

If the password has expired the user should be redirected to ChangePassword screen and should not be allowed access to any other part of the application without changing the password.

There are many aspx pages. One solution could be to redirect to the ChangePassword screen OnInit of every aspx if the password has expired. Is there any other solutions or recommendations.

Thanks, Jai

Upvotes: 23

Views: 27076

Answers (6)

Tommy Snacks
Tommy Snacks

Reputation: 171

I used the code from above and only slightly modified it to implement in Asp.NET (4.5) MVC5 using the .NET Identity Provider. Just leaving it here for the next guy/gal :) 

void Application_PostAuthenticateRequest(object sender, EventArgs e)
    {
        if (this.User.Identity.IsAuthenticated)
        {
            WisewomanDBContext db = new WisewomanDBContext();

            // get user
            var userId = User.Identity.GetUserId();
            ApplicationUser user = db.Users.Find(userId);

            // has their password expired?
            if (user != null && user.PasswordExpires <= DateTime.Now.Date
                && !Request.Path.EndsWith("/Manage/ChangePassword"))
            {
                Response.Redirect("~/Manage/ChangePassword");
            }

            db.Dispose();
        }
    }

Upvotes: 0

Andrew
Andrew

Reputation: 13231

Further to csgero's answer, I found that you don't need to explicitly add an event handler for this event in ASP.Net 2.0 (3.5).

You can simply create the following method in global.asax and it gets wired up for you:

void Application_PostAuthenticateRequest(object sender, EventArgs e)
{
    if (this.User.Identity.IsAuthenticated)
    {
        // get user
        MembershipUser user = Membership.GetUser();

        // has their password expired?
        if (user != null
            && user.LastPasswordChangedDate.Date.AddDays(90) < DateTime.Now.Date
            && !Request.Path.EndsWith("/Account/ChangePassword.aspx"))
        {
            Server.Transfer("~/ChangePassword.aspx");
        }
    }
}

Upvotes: 29

Leniel Maccaferri
Leniel Maccaferri

Reputation: 102448

I got here looking for a solution to this but my current technology is ASP.NET MVC. So to help others: you can extend the AuthorizeAttribute, and override OnAuthorization method, like this:

public class ExpiredPasswordAttribute : AuthorizeAttribute
{
    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        IPrincipal user = filterContext.HttpContext.User;

        if(user != null && user.Identity.IsAuthenticated)
        {
            MembershipUser membershipUser = Membership.GetUser();

            if (PasswordExpired) // Your logic to check if password is expired...
            {
                filterContext.HttpContext.Response.Redirect(
                    string.Format("~/{0}/{1}?{2}", MVC.SGAccount.Name, MVC.SGAccount.ActionNames.ChangePassword,
                    "reason=expired"));

            }
        }

        base.OnAuthorization(filterContext);
    }
}

Note: I use T4MVC to retrieve the Controller and Action names in the code above.

Mark all controllers with this attribute except "AccountController". Doing so no user with an expired password will be able to surf the site.

Here's a post I did on the subject with some bonus points:

User Password Expired filter attribute in ASP.NET MVC

Upvotes: 4

rethenhouser2
rethenhouser2

Reputation: 400

Further to Andrew's answer, I found you need to check that the user is not already on the change password page, or they will never be able to actually change their password, and hence never leave the change password site:

void Application_PostAuthenticateRequest(object sender, EventArgs e)
    {
        if (this.User.Identity.IsAuthenticated)
        {
            // get user 
            MembershipUser user = Membership.GetUser();

            // has their password expired? 
            if (user != null
                && user.LastPasswordChangedDate.AddMinutes(30) < DateTime.Now
                && !Request.Path.EndsWith("/Account/ChangePassword.aspx"))
            {
                Server.Transfer("~/Account/ChangePassword.aspx");
            }
        }
    }

Upvotes: 9

Moonmouse
Moonmouse

Reputation:

Just implemented this in about an hour, no need to modify your base page. Heres what you have to do:

  1. Respond to the LoggingIn event of the membership control

  2. Find the user in the membership database and get LastPasswordChangedDate

  3. Using a TimeSpan, compare this with the current date and decide if the password was last changed more than the requisite number of days ago. I get this value from web.config

  4. If expired, redirect to the ChangePassword screen

Upvotes: 6

csgero
csgero

Reputation: 2773

You could add an event handler for the HttpApplication.PostAuthenticateRequest event in global.asax and handle the redirection there.

Upvotes: 13

Related Questions