ASP.NET membership password expiration

Asked 8/12, 2008 at 11:52 Answered 10/3, 2016 at 21:32

asp.net authentication asp.net-membership change-password

I am using ASP.NET membership for the authentication of my web app. This worked great for me. I now have to implement password expiration.

If the password has expired the user should be redirected to ChangePassword screen and should not be allowed access to any other part of the application without changing the password.

There are many aspx pages. One solution could be to redirect to the ChangePassword screen OnInit of every aspx if the password has expired. Is there any other solutions or recommendations.

Thanks, Jai

Latia answered 8/12, 2008 at 11:52 Comment(0)

Further to csgero's answer, I found that you don't need to explicitly add an event handler for this event in ASP.Net 2.0 (3.5).

You can simply create the following method in global.asax and it gets wired up for you:

void Application_PostAuthenticateRequest(object sender, EventArgs e)
{
    if (this.User.Identity.IsAuthenticated)
    {
        // get user
        MembershipUser user = Membership.GetUser();

        // has their password expired?
        if (user != null
            && user.LastPasswordChangedDate.Date.AddDays(90) < DateTime.Now.Date
            && !Request.Path.EndsWith("/Account/ChangePassword.aspx"))
        {
            Server.Transfer("~/ChangePassword.aspx");
        }
    }
}

Dinger answered 15/7, 2011 at 9:29 Comment(2)

Please note Ben Rethmeier's fix below (https://mcmap.net/q/556285/-asp-net-membership-password-expiration) so that it is possible to change password on the change password screen. – Fagoting 13/3, 2013 at 22:36

Thanks @shrodes - I've updated my answer to include Ben Rethmeier's fix :o) – Dinger 13/3, 2013 at 23:2

You could add an event handler for the HttpApplication.PostAuthenticateRequest event in global.asax and handle the redirection there.

Battle answered 8/12, 2008 at 14:17 Comment(1)

That's what I'd do, combined with using the LastPasswordChangedDate property of the Membership Provider to determine when it expires. – Crosstree 8/12, 2008 at 14:45

Further to Andrew's answer, I found you need to check that the user is not already on the change password page, or they will never be able to actually change their password, and hence never leave the change password site:

void Application_PostAuthenticateRequest(object sender, EventArgs e)
    {
        if (this.User.Identity.IsAuthenticated)
        {
            // get user 
            MembershipUser user = Membership.GetUser();

            // has their password expired? 
            if (user != null
                && user.LastPasswordChangedDate.AddMinutes(30) < DateTime.Now
                && !Request.Path.EndsWith("/Account/ChangePassword.aspx"))
            {
                Server.Transfer("~/Account/ChangePassword.aspx");
            }
        }
    }

Palaver answered 26/3, 2012 at 20:53 Comment(0)

Just implemented this in about an hour, no need to modify your base page. Heres what you have to do:

Respond to the LoggingIn event of the membership control
Find the user in the membership database and get LastPasswordChangedDate
Using a TimeSpan, compare this with the current date and decide if the password was last changed more than the requisite number of days ago. I get this value from web.config
If expired, redirect to the ChangePassword screen

Andromede answered 24/7, 2009 at 13:59 Comment(5)

This will not catch users who have an existing auth ticket ("remember me"). csgero's solution is correct. – Feculent 19/5, 2011 at 17:42

Yes, if they are currently authenticated I would say that is not a big issue, unless you make your cookies valid to infinity. Perhaps if you detect that they are already logged in, and expired, then just set the cookie to expire in 20 minutes or so, each time. Then, when they come back, they'll have to change it. – Dinger 18/8, 2011 at 5:15

The issue with checking in PostAuth also is a ton of added system activity for every single request. As long as your tickets expire fairly often there shouldn't be much of an issue, OR you simply run the PostAuth code for +1 day beyond your timeout time. This ensures anyone who hits the site with a valid forms auth ticket gets checked. Then if they don't login at all during that time, the forms auth tickets expire and LogginIn even can be used. After +1 day beyond the ticket expire time you can then remove the PostAuth event. Also you'll want to check upon login – Auspex 24/1, 2012 at 21:46

and force their ticket to expire at a MAX when their password expires. This prevents those cases of people expiring before their token is up. – Auspex 24/1, 2012 at 21:46

This will not catch users who simply navigate away from the change password screen. They have just authenticated, they're good to go. That is why you have to check each request, inelegant though it is. – Humanitarian 9/3, 2015 at 12:50

I got here looking for a solution to this but my current technology is ASP.NET MVC. So to help others: you can extend the AuthorizeAttribute, and override OnAuthorization method, like this:

public class ExpiredPasswordAttribute : AuthorizeAttribute
{
    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        IPrincipal user = filterContext.HttpContext.User;

        if(user != null && user.Identity.IsAuthenticated)
        {
            MembershipUser membershipUser = Membership.GetUser();

            if (PasswordExpired) // Your logic to check if password is expired...
            {
                filterContext.HttpContext.Response.Redirect(
                    string.Format("~/{0}/{1}?{2}", MVC.SGAccount.Name, MVC.SGAccount.ActionNames.ChangePassword,
                    "reason=expired"));

            }
        }

        base.OnAuthorization(filterContext);
    }
}

Note: I use T4MVC to retrieve the Controller and Action names in the code above.

Mark all controllers with this attribute except "AccountController". Doing so no user with an expired password will be able to surf the site.

Here's a post I did on the subject with some bonus points:

User Password Expired filter attribute in ASP.NET MVC

Antagonism answered 23/5, 2012 at 20:44 Comment(0)

I used the code from above and only slightly modified it to implement in Asp.NET (4.5) MVC5 using the .NET Identity Provider. Just leaving it here for the next guy/gal :)

void Application_PostAuthenticateRequest(object sender, EventArgs e)
    {
        if (this.User.Identity.IsAuthenticated)
        {
            WisewomanDBContext db = new WisewomanDBContext();

            // get user
            var userId = User.Identity.GetUserId();
            ApplicationUser user = db.Users.Find(userId);

            // has their password expired?
            if (user != null && user.PasswordExpires <= DateTime.Now.Date
                && !Request.Path.EndsWith("/Manage/ChangePassword"))
            {
                Response.Redirect("~/Manage/ChangePassword");
            }

            db.Dispose();
        }
    }

Breakaway answered 10/3, 2016 at 21:32 Comment(0)

Recommended topics

Hot tags