tags:

views:

141

answers:

2
Q: 

Where should I place a check that may redirect a request?

I need to redirect users to the Change Password page if their password has expired.

I want to place this code in one place so that any request can be redirected to the change password page.

I've looked into extending the AuthorizeAttribute, and overriding OnActionExecuting, but neither work/allow me to short circuit the routing logic to redirect to the password change page.

For a little clarification, the logic would be:

Unauthorized request:
-> any URL -> AuthorizeAttribute -> Login.aspx -> password expired -> ChangePassword.aspx

Authorized request:
-> any URL -> ??????? -> ChangePassword.aspx

Its that ???? part that I'm not sure what to do.

I think I'm going to go with extending the AuthorizeAttribute. I'll use that everywhere except the password change controller methods.

A: 

You could look at adding an event handler for the PostAuthenticateRequest event in global.asax.

protected void Application_Start(object sender, EventArgs e) {
  this.PostAuthenticateRequest += new EventHandler(Global_PostAuthenticateRequest);
}

void Global_PostAuthenticateRequest(object sender, EventArgs e)
{
 if (passwordExpired) {
   Context.Response.Redirect("~/ChangePassword.aspx");
   }
}
Colin Cochrane  2009-05-07 21:43:50
Tried that, but apparently that event is abandoned in MVC.
Will  2009-05-08 12:38:16
+1  A:  
public class DenyExpiredPasswordAttribute : AuthorizeAttribute
{

    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        IPrincipal user = filterContext.HttpContext.User;

        if(user != null)
        {
            if (user.Identity.IsAuthenticated)
            {

                if (CurrentUser.PasswordExpired) // your checking of password expiration
                {
                    filterContext.HttpContext.Response.Redirect("~/Account/ChangePassword?reason=expired");
                }
            }
        }
        base.OnAuthorization(filterContext);
    }
}

this works fine, just mark every controller with this attribute exclude "Account" one. This way no user with expired attribute able to continue until change password.

Lion_cl  2009-07-04 00:47:33
This is essentially what I went with.
Will  2009-10-19 12:45:44

related questions

What's the best way to implement field validation using ASP.NET MVC?
How do I handle page flow in MVC (particularly asp.net)
Entity diagrams in ASP.NET MVC
How do I get rid of Home in ASP.Net MVC?
Can I generate ASP.NET MVC routes from a Sitemap?
ASP.NET Model-view-controller (MVC) - where do I start from?
user controls and asp.net mvc
ASP.Net MVC route mapping
RSS Feeds in ASP.NET MVC
Open Source Licensing Options for ASP.NET MVC Application?
Does the OutputCacheFilter in the Microsoft MVC Preview 4 actually save on action invocations?
MVC Learning Resources
Validating posted form data in the ASP.NET MVC framework
Best mock framework that can do both WebForms and MVC?
Use the routing engine for form submissions in ASP.NET MVC Preview 4
How do you get a custom id to render using HtmlHelper in MVC
MVC Preview 4 - No route in the route table matches the supplied values.
Is there a way to include a fragment identifier when using Asp.Net MVC ActionLink, RedirectToAction, etc. ?
In ASP.NET MVC I encounter an incorrect type error when rendering a user control with the correct typed object
ASP.NET MVC - Is it worth it yet?
Multiple languages in an ASP.NET MVC application?
Is it better to create Model classes, or just stick with generic database utility class?
ASP.NET MVC Without Visual Studio
ASP.NET MVC "CRUD" Database Sample
How to RedirectToAction in ASP.NET MVC without losing request data