Verify User Data Before Every Action

Question

I have a user model that requires the user to change their password every three months. I need to somehow check to see if the user is logged in (we allow anonymous browsers on certain sections of the site) and if their password is expired, force them to enter a new one before they can do anything else.

The brute-force way of doing this would be to add a little bit of code to each and every action (except the ChangePassword action in Account). For example:

var authenticatedUser = GetAuthenticatedUser();
if (authenticatedUser != null && authenticatedUser.IsPasswordExpired)
    return RedirectToAction("Account", "ChangePassword");

Obviously that's a horrible way to solve this problem but I'm not sure what the right way to do it is. Any ideas? I'm pretty sure that we're going to have to add more user data checks like this in the future, so I'd really like to find a good solution to it now.

Answer 1

You could write your own HttpModule and validate it on every request once. You can derive from HttpModule and stick it in the web.config httpModules configuration section.

Answer 2

I do custom authentication in my base controller class (all my controllers derive from this). You can override the protected Controller.OnAuthorization method. Note that OnAuthorization gets called after the Controller.Initialize method, so if you put other custom logic in the Initialize method, just remember that this is called first.

    /// <summary>
 /// Called when authorization occurs.
 /// </summary>
 /// <param name="filterContext">Contains information about the current request and action.</param>
 protected override void OnAuthorization(AuthorizationContext filterContext)
 {
  // Do custom authentication here.
  Authenticate();

  base.OnAuthorization(filterContext);
 }