I am using ASP.NET membership for the authentication of my web app. This worked great for me. I now have to implement password expiration.
If the password has expired the user should be redirected to ChangePassword screen and should not be allowed access to any other part of the application without changing the password.
There are many aspx pages. One solution could be to redirect to the ChangePassword screen OnInit of every aspx if the password has expired. Is there any other solutions or recommendations.
Thanks, Jai
Further to csgero's answer, I found that you don't need to explicitly add an event handler for this event in ASP.Net 2.0 (3.5).
You can simply create the following method in global.asax and it gets wired up for you:
void Application_PostAuthenticateRequest(object sender, EventArgs e)
{
if (this.User.Identity.IsAuthenticated)
{
// get user
MembershipUser user = Membership.GetUser();
// has their password expired?
if (user != null
&& user.LastPasswordChangedDate.Date.AddDays(90) < DateTime.Now.Date
&& !Request.Path.EndsWith("/Account/ChangePassword.aspx"))
{
Server.Transfer("~/ChangePassword.aspx");
}
}
}
You could add an event handler for the HttpApplication.PostAuthenticateRequest event in global.asax and handle the redirection there.
Further to Andrew's answer, I found you need to check that the user is not already on the change password page, or they will never be able to actually change their password, and hence never leave the change password site:
void Application_PostAuthenticateRequest(object sender, EventArgs e)
{
if (this.User.Identity.IsAuthenticated)
{
// get user
MembershipUser user = Membership.GetUser();
// has their password expired?
if (user != null
&& user.LastPasswordChangedDate.AddMinutes(30) < DateTime.Now
&& !Request.Path.EndsWith("/Account/ChangePassword.aspx"))
{
Server.Transfer("~/Account/ChangePassword.aspx");
}
}
}
Just implemented this in about an hour, no need to modify your base page. Heres what you have to do:
Respond to the
LoggingInevent of the membership controlFind the user in the membership database and get
LastPasswordChangedDateUsing a TimeSpan, compare this with the current date and decide if the password was last changed more than the requisite number of days ago. I get this value from web.config
If expired, redirect to the
ChangePasswordscreen
I got here looking for a solution to this but my current technology is ASP.NET MVC. So to help others: you can extend the AuthorizeAttribute, and override OnAuthorization method, like this:
public class ExpiredPasswordAttribute : AuthorizeAttribute
{
public override void OnAuthorization(AuthorizationContext filterContext)
{
IPrincipal user = filterContext.HttpContext.User;
if(user != null && user.Identity.IsAuthenticated)
{
MembershipUser membershipUser = Membership.GetUser();
if (PasswordExpired) // Your logic to check if password is expired...
{
filterContext.HttpContext.Response.Redirect(
string.Format("~/{0}/{1}?{2}", MVC.SGAccount.Name, MVC.SGAccount.ActionNames.ChangePassword,
"reason=expired"));
}
}
base.OnAuthorization(filterContext);
}
}
Note: I use T4MVC to retrieve the Controller and Action names in the code above.
Mark all controllers with this attribute except "AccountController". Doing so no user with an expired password will be able to surf the site.
Here's a post I did on the subject with some bonus points:
I used the code from above and only slightly modified it to implement in Asp.NET (4.5) MVC5 using the .NET Identity Provider. Just leaving it here for the next guy/gal :)
void Application_PostAuthenticateRequest(object sender, EventArgs e)
{
if (this.User.Identity.IsAuthenticated)
{
WisewomanDBContext db = new WisewomanDBContext();
// get user
var userId = User.Identity.GetUserId();
ApplicationUser user = db.Users.Find(userId);
// has their password expired?
if (user != null && user.PasswordExpires <= DateTime.Now.Date
&& !Request.Path.EndsWith("/Manage/ChangePassword"))
{
Response.Redirect("~/Manage/ChangePassword");
}
db.Dispose();
}
}
来源:https://stackoverflow.com/questions/349286/asp-net-membership-password-expiration