I want to force the user to change his password after his first login. Now, where should I put the redirection code to ChangePassword page ?
Page_Load
of Default page, user can move to any page because he is Authenticated.If I put it in the Page_Load
of Master page, the ChangePassword page uses the same master page, and it'll enter in an infinit loop of redirections.
I though of ignoring the redirection if the Page
is the ChagePassword page from the Master page, and I found this answer which says:
This sounds like a bad idea to start with. The idea of the master is that it shouldn't care what page is there as this is all common code for each page.
Any suggestion!
Here you are, a fully tested solution ;)
protected void LoginButton_Click(object sender, EventArgs e)
{
/****note: UserName and Password are textbox fields****/
if (Membership.ValidateUser(UserName.Text, Password.Text))
{
MembershipUser user = Membership.GetUser(UserName.Text);
if (user == null)
{
FailureText.Text = "Invalid username. Please try again.";
return;
}
if (user.IsLockedOut)
user.UnlockUser();
/* this is the interesting part for you */
if (user.LastPasswordChangedDate == user.CreationDate) //if true, that means user never changed their password before
{
//TODO: add your change password logic here
}
}
}
You can do it in GLobal.asax file.
Check if user in logged in and request url is not ChangePassword then redirect to change password page.
/// <summary>
/// this event occurs just after user is authenticated
/// </summary>
void Application_AuthorizeRequest(object sender, EventArgs e)
{
// check if user is authenticated
if (User.Identity.IsAuthenticated)
{
// checking page extension
switch (System.IO.Path.GetExtension(Context.Request.Url.AbsoluteUri.ToLower()))
{
case ".bmp":
case ".gif":
case ".jpg":
case ".jpe":
case ".jpeg":
case ".png":
case ".css":
case ".js":
case ".txt":
case ".swf":
// don't redirect, these requests may required in many cases
break;
default:
// checking if request is not for ChangePassword.aspx page
if (!Context.Request.Url.AbsoluteUri.ToLower().Contains("/changepassword.aspx"))
{
Context.Response.Redirect("~/ChangePassword.aspx");
}
break;
}
}
}
We had an app with similar requirements. We extended the base ASP.NET membership provider to allow for a check on the LastPasswordChangedDate and compared it to the CreateDate. If equal, that means the user has never changed their password, and was redirected to the login page.
I see you would like to have some kind of check to keep bugging them even after the login. I think you can accomplish this in the AuthorizationRequest of the Global.asax. That might be expensive though.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With