tags:

views:

482

answers:

2
+2  Q: 

ASP.NET MVC - How to handle an expired password?

What's the best way to handle an expired password in an ASP.NET MVC application?

Let me explain - ASP.NET MVC is obviously set up (both in the barebones app the NerdDinner example) to handle the following scenarios:

  • Register new users
  • Allow them to change their password
  • Log in using a valid account/password

What it doesn't have is a really good way to do the following:

  • Force the user to change their password if it is expired

The ASP.NET MVC way of thinking points to the idea of having the user go to a separate URL/view to perform the password changes.

The problem with this idea is that I don't want people to be able to go to this URL if they're not logged in, and I don't want them to be able to go anywhere else in the site with an expired password.

In the past the way I've handled this is to have the user not leave the login page and have an ASP.NET panel show itself with the "oh hey you need to change your password" bit, and hide the rest of the page. At this point the user is not logged on yet, so they won't be authenticated and can't go anywhere until they change their password.

But ASP.NET MVC makes this difficult. If I do like above and have everything on the login page then I have to have a very cumbersome Login() action in order to handle all of the possible posted values. If I have it post to another action/view then I run the risk of either having to log in the user or have the change password page be not protected by authentication (since, unlike the "change password" bit you get provided with, I don't want them to be authenticated when they see the page).

I can envision a few scenarios wherein you would set something in ViewData to indicate the password is expired and insist on redirecting the user to the "Change Password" page, but I'm not sure if that's a safe thing to do.

+2  A: 

I would consider using a custom (extending the existing) AuthorizeFilter that sets the ActionResult on the AuthorizationContext to redirect to your change password action if the user is authenticated but the password is expired. This would allow them to login normally, but restrict them to only that action if their password is expired. I use a similar approach in one of my apps that redirects a person to an event enrollment page if they are registered with the site but haven't signed up for an event yet (it's a charity event management app).

You might even be able to implement it as a separate filter and still use the existing one for authorization.

 [Authorize]
 [RequiresUnexpiredPassword]
 public class MyController : Controller
 {
     ...
 }

Of course, you'd have to make sure the ChangePassword action is allowed to proceed without being redirected by the filter.

tvanfosson  2009-07-02 16:45:36
I think it's not a good idea to create RequiresUnexpiredPassword attribute because you will have to apply this attribute to ALL the controllers [Assuming that author doesn't want user to browse the application with expired password]. It's better to modify the behavior of the Authorize attribute itself.
SolutionYogi  2009-07-02 16:53:34
You have to remember to decorate the methods/controllers with the Authorize attribute as well. As I said, you could either extend the authorize filter OR have a separate attribute. A separate attribute would be in keeping with the single responsibility principle and also be flexible. In this case, however, I'd probably go with my first suggestion -- which is also your suggestion minus the exception -- and use a custom authorize filter.
tvanfosson  2009-07-02 17:13:46
Yes, but Authorize attribute is already in place so that's a moot point.
SolutionYogi  2009-07-02 20:53:59
I implemented this solution - full details on how to do it here: http://zootfroot.blogspot.com/2010/08/aspnet-mvc-2-force-password-change.html
James McCormack  2010-09-25 22:43:31
+2  A: 

How about creating a custom AuthorizationAttribute and overriding the OnAuthorization method [ Sample code here: http://stackoverflow.com/questions/554094/asp-net-mvc-adding-to-the-authorize-attribute ] .

In that method, you can check if the password has expired, throw PasswordExpiredException. Catch this exception in Base Controller and redirect the user to 'Change Password' action.

SolutionYogi  2009-07-02 16:49:07
Why throw an exception when you can just set the AuthorizeContext result property and do the redirection?
tvanfosson  2009-07-02 17:11:37

related questions

How do I write Firefox add-on that automatically enters proxy passwords?
Login Integration in PHP
Strange Rails Authentication Issue
Concurrent logins in a web farm
Is there a browser equivalent to IE's ClearAuthenticationCache?
How can I authenticate using client credentials in WCF just once?
Why can't I connect to my CAS server with Perl's AuthCAS?
Best Solution For Authentication in Ruby on Rails
Authenticate on an ASP.Net Forms Authorization website from a console app
How do I use NTLM authentication with Active Directory
What have you used Windows CardSpace for, if anything
Forms Authentication across Applications
Retreiving the PC Name of a Client? (Windows Auth)
How would you implement FORM based authentication without a backing database?
What's the best way to authenticate over WCF?
Only accepting certain ajax requests from authenticated users
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
What to use for login ID?
ASP.NET authentication: user name Vs User ID
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Checklist for IIS 6/ASP.NET Windows Authentication?
The Definitive Guide To Website Authentication