views:

141

answers:

2

I need to redirect users to the Change Password page if their password has expired.

I want to place this code in one place so that any request can be redirected to the change password page.

I've looked into extending the AuthorizeAttribute, and overriding OnActionExecuting, but neither work/allow me to short circuit the routing logic to redirect to the password change page.

For a little clarification, the logic would be:

Unauthorized request:
-> any URL -> AuthorizeAttribute -> Login.aspx -> password expired -> ChangePassword.aspx

Authorized request:
-> any URL -> ??????? -> ChangePassword.aspx

Its that ???? part that I'm not sure what to do.


I think I'm going to go with extending the AuthorizeAttribute. I'll use that everywhere except the password change controller methods.

A: 

You could look at adding an event handler for the PostAuthenticateRequest event in global.asax.

protected void Application_Start(object sender, EventArgs e) {
  this.PostAuthenticateRequest += new EventHandler(Global_PostAuthenticateRequest);
}

void Global_PostAuthenticateRequest(object sender, EventArgs e)
{
 if (passwordExpired) {
   Context.Response.Redirect("~/ChangePassword.aspx");
   }
}
Colin Cochrane
Tried that, but apparently that event is abandoned in MVC.
Will
+1  A: 
public class DenyExpiredPasswordAttribute : AuthorizeAttribute
{

    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        IPrincipal user = filterContext.HttpContext.User;

        if(user != null)
        {
            if (user.Identity.IsAuthenticated)
            {

                if (CurrentUser.PasswordExpired) // your checking of password expiration
                {
                    filterContext.HttpContext.Response.Redirect("~/Account/ChangePassword?reason=expired");
                }
            }
        }
        base.OnAuthorization(filterContext);
    }
}

this works fine, just mark every controller with this attribute exclude "Account" one. This way no user with expired attribute able to continue until change password.

Lion_cl
This is essentially what I went with.
Will