Menu
The website that I have created requires to have Admin accounts create accounts for users. How would I go about having those users change their password after the first time they login? The problem is users will have a generic password designated to them, after they decide to login for the first time I would like them to have to change their password to something that is less generic.
Here is my login controller
[AllowAnonymous]
public ActionResult Login(string returnUrl)
{
ViewBag.ReturnUrl = returnUrl;
return View();
}
//
// POST: /Account/Login
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<ActionResult> Login(LoginViewModel model, string returnUrl)
{
if (ModelState.IsValid)
{
var user = await UserManager.FindAsync(model.UserName, model.Password);
if (user != null)
{
await SignInAsync(user, model.RememberMe);
return RedirectToLocal(returnUrl);
}
else
{
ModelState.AddModelError("", "Invalid username or password.");
}
}
My login Model
public class LoginViewModel
{
[Required]
[Display(Name = "User name")]
public string UserName { get; set; }
[Required]
[DataType(DataType.Password)]
[Display(Name = "Password")]
public string Password { get; set; }
[Display(Name = "Remember me?")]
public bool RememberMe { get; set; }
}
And the view
<div class="container">
<div class="col-md-8">
<section id="loginForm">
@using (Html.BeginForm("Login", "Account", new { ReturnUrl = ViewBag.ReturnUrl }, FormMethod.Post, new { @class = "form-horizontal", role = "form" }))
{
@Html.AntiForgeryToken()
<h4>Use a local account to log in.</h4>
<hr />
@Html.ValidationSummary(true)
<div class="form-group">
@Html.LabelFor(m => m.UserName, new { @class = "col-md-2 control-label" })
<div class="col-md-10">
@Html.TextBoxFor(m => m.UserName, new { @class = "form-control" })
@Html.ValidationMessageFor(m => m.UserName)
</div>
</div>
<div class="form-group">
@Html.LabelFor(m => m.Password, new { @class = "col-md-2 control-label" })
<div class="col-md-10">
@Html.PasswordFor(m => m.Password, new { @class = "form-control" })
@Html.ValidationMessageFor(m => m.Password)
</div>
</div>
<div class="form-group">
<div class="col-md-offset-2 col-md-10">
<div class="checkbox">
@Html.CheckBoxFor(m => m.RememberMe)
@Html.LabelFor(m => m.RememberMe)
</div>
</div>
</div>
<div class="form-group">
<div class="col-md-offset-2 col-md-10">
<input type="submit" value="Log in" class="btn btn-default" />
</div>
</div>
550
Using passwd Command To force a user to change his/her password, first of all the password must have expired and to cause a user's password to expire, you can use the passwd command, which is used to change a user's password by specifying the -e or --expire switch along with username as shown.
Forcing users to select their own password at initial logon, (the first time they authenticate), ensures that NOBODY else knows the password for the account once it has been changed. This is a control process called single-control.
The User must change password at next logon setting can be flagged in a couple of different scenarios in Active Directory, including when a user account password has expired, or when an administrator manually sets the flag on an account.
But how often should you create new passwords? Cybersecurity experts recommend changing your password every three months. There may even be situations where you should change your password immediately, especially if a cybercriminal has access to your account.
I've just had a similar problem. My system has the option of an admin creating users. What I did was to create the user with a randomly generated password.
The Confirmation Email normally has a URL which contains the email confirmation token. All I did was to include the confirmation AND email reset tokens:
string emailConfirmationCode = await
UserManager.GenerateEmailConfirmationTokenAsync(userID);
string passwordSetCode = await UserManager.GeneratePasswordResetTokenAsync(userID);
var callbackUrl = Url.Action("ConfirmEmail", "Account", new { userId = userID, emailConfirmationCode = emailConfirmationCode, passwordSetCode = passwordSetCode }, protocol: Request.Url.Scheme);
await UserManager.SendEmailAsync(userID, subject,$"Please confirm your account by clicking <a href=\"{callbackUrl}\">here</a>");
then, in my confirmEmail action:
[AllowAnonymous]
public async Task<ActionResult> ConfirmEmail(string userId, string emailConfirmationCode, string passwordSetCode = null )
{
if (userId == null || emailConfirmationCode == null)
{
return View("Error");
}
var result = await UserManager.ConfirmEmailAsync(userId, emailConfirmationCode);
if (result.Succeeded && !string.IsNullOrEmpty(passwordSetCode))
{
return RedirectToAction("ResetPassword", "Account", new { userId = userId, code = passwordSetCode, firstPassword = true });
}
return View(result.Succeeded ? "ConfirmEmail" : "Error");
}
Note that I use firstPassword so that I can show a different view to Forgot Password
[AllowAnonymous]
public ActionResult ResetPassword(string code, bool firstPassword = false)
{
if (code == null)
return View("Error");
return firstPassword? View("FirstPassword") : View();
}
This way, the only way they can log in is by confirming their email AND setting their password. IF they somehow don't follow through with the reset, they'd need to do the forgot password process from scratch. Re-clicking their link gives me a token error the second time around.
67
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
