ASP.NET membership password expiration
I am using ASP.NET membership for the authentication of my web app. This worked great for me. I now have to implement password expiration.
If the password has expired th
-
I used the code from above and only slightly modified it to implement in Asp.NET (4.5) MVC5 using the .NET Identity Provider. Just leaving it here for the next guy/gal :)
void Application_PostAuthenticateRequest(object sender, EventArgs e) { if (this.User.Identity.IsAuthenticated) { WisewomanDBContext db = new WisewomanDBContext(); // get user var userId = User.Identity.GetUserId(); ApplicationUser user = db.Users.Find(userId); // has their password expired? if (user != null && user.PasswordExpires <= DateTime.Now.Date && !Request.Path.EndsWith("/Manage/ChangePassword")) { Response.Redirect("~/Manage/ChangePassword"); } db.Dispose(); } }讨论(0) -
You could add an event handler for the HttpApplication.PostAuthenticateRequest event in global.asax and handle the redirection there.
讨论(0) -
Further to Andrew's answer, I found you need to check that the user is not already on the change password page, or they will never be able to actually change their password, and hence never leave the change password site:
void Application_PostAuthenticateRequest(object sender, EventArgs e) { if (this.User.Identity.IsAuthenticated) { // get user MembershipUser user = Membership.GetUser(); // has their password expired? if (user != null && user.LastPasswordChangedDate.AddMinutes(30) < DateTime.Now && !Request.Path.EndsWith("/Account/ChangePassword.aspx")) { Server.Transfer("~/Account/ChangePassword.aspx"); } } }讨论(0) -
Just implemented this in about an hour, no need to modify your base page. Heres what you have to do:
Respond to the
LoggingInevent of the membership controlFind the user in the membership database and get
LastPasswordChangedDateUsing a TimeSpan, compare this with the current date and decide if the password was last changed more than the requisite number of days ago. I get this value from web.config
If expired, redirect to the
ChangePasswordscreen
讨论(0) -
Further to csgero's answer, I found that you don't need to explicitly add an event handler for this event in ASP.Net 2.0 (3.5).
You can simply create the following method in
global.asaxand it gets wired up for you:void Application_PostAuthenticateRequest(object sender, EventArgs e) { if (this.User.Identity.IsAuthenticated) { // get user MembershipUser user = Membership.GetUser(); // has their password expired? if (user != null && user.LastPasswordChangedDate.Date.AddDays(90) < DateTime.Now.Date && !Request.Path.EndsWith("/Account/ChangePassword.aspx")) { Server.Transfer("~/ChangePassword.aspx"); } } }讨论(0) -
I got here looking for a solution to this but my current technology is ASP.NET MVC. So to help others: you can extend the
AuthorizeAttribute, and overrideOnAuthorizationmethod, like this:public class ExpiredPasswordAttribute : AuthorizeAttribute { public override void OnAuthorization(AuthorizationContext filterContext) { IPrincipal user = filterContext.HttpContext.User; if(user != null && user.Identity.IsAuthenticated) { MembershipUser membershipUser = Membership.GetUser(); if (PasswordExpired) // Your logic to check if password is expired... { filterContext.HttpContext.Response.Redirect( string.Format("~/{0}/{1}?{2}", MVC.SGAccount.Name, MVC.SGAccount.ActionNames.ChangePassword, "reason=expired")); } } base.OnAuthorization(filterContext); } }Note: I use T4MVC to retrieve the Controller and Action names in the code above.
Mark all controllers with this attribute except "
AccountController". Doing so no user with an expired password will be able to surf the site.Here's a post I did on the subject with some bonus points:
User Password Expired filter attribute in ASP.NET MVC
讨论(0)
加载中...
- 热议问题