Create an account

Very important

  • To access the important data of the forums, you must be active in each forum and especially in the leaks and database leaks section, send data and after sending the data and activity, data and important content will be opened and visible for you.
  • You will only see chat messages from people who are at or below your level.
  • More than 500,000 database leaks and millions of account leaks are waiting for you, so access and view with more activity.
  • Many important data are inactive and inaccessible for you, so open them with activity. (This will be done automatically)

0Day Forums Coding Asp.Net How to setup password expiration using ASP.NET Identity Framework

Thread Rating:
  • 255 Vote(s) - 3.51 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Options
How to setup password expiration using ASP.NET Identity Framework

Offline verbally57136


Member
*
Member
Posts: 0
Threads: 0
Joined: Jul 2018
Reputation: 0
Level: inf [Level]
Total Points: inf
Rank nan / 1
100% to upload Level
Rank
Activity inf / 1
99% to upload your Rank
Activity
Experience nan
100% to upload Experience
Experience

Points: 50
#1
07-23-2023, 09:00 AM
I have a ASP.NET project using Identity. For Identity Configuration regarding passwords, the `PasswordValidator` is being used. How do I expand the enforcement of password beyond what `PasswordValidator` has currently (`RequiredLength`, `RequiredDigit`, etc.) to satisfy a requirement that asks for password expiration after N days?
Reply

Offline staceyfusvrckvhn


Member
*
Member
Posts: 0
Threads: 0
Joined: Jan 2017
Reputation: 0
Level: inf [Level]
Total Points: inf
Rank nan / 1
100% to upload Level
Rank
Activity inf / 1
99% to upload your Rank
Activity
Experience nan
100% to upload Experience
Experience

Points: 50
#2
07-23-2023, 09:04 AM
There is no such functionality builtin ASP.NET Identity 2. Easiest is to add a field on the user like **LastPasswordChangedDate**. And then check this field during each Authorization.

public class ApplicationOAuthProvider : OAuthAuthorizationServerProvider
{
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
var user = await GetUser(context.UserName, context.Password);
if(user.LastPasswordChangedDate.AddDays(20) < DateTime.Now)
// user needs to change password

}
}
Reply

Offline recollect950


Valued member
***
Valued member
Posts: 0
Threads: 0
Joined: Feb 2022
Reputation: 0
Level: inf [Level]
Total Points: inf
Rank nan / 1
100% to upload Level
Rank
Activity inf / 1
99% to upload your Rank
Activity
Experience nan
100% to upload Experience
Experience

Points: 50
#3
07-23-2023, 09:21 AM
Adding on to @Rikard's answer...

I added `LastPasswordChangedDate` to my `ApplicationUser` model, like so:

public class ApplicationUser : IdentityUser
{
public DateTime LastPasswordChangedDate { get; set; }

public async Task<ClaimsIdentity> GenerateUserIdentityAsync(UserManager<ApplicationUser> manager)
{
// Note the authenticationType must match the one defined in CookieAuthenticationOptions.AuthenticationType
var userIdentity = await manager.CreateIdentityAsync(this, DefaultAuthenticationTypes.ApplicationCookie);
// Add custom user claims here
return userIdentity;
}
}

Add a static configuration setting to `AccountController` (you'll need this later on in `Login()`:

private static readonly int PasswordExpireDays = Convert.ToInt32(ConfigurationManager.AppSettings["PasswordExpireDays"]);

Then, during `Login`, check to see if the user should reset password. This only checks after a successful login, as to not bug user too much.

[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<ActionResult> Login(LoginViewModel model, string returnUrl)
{
if (!ModelState.IsValid)
{
return View(model);
}

// This doesn't count login failures towards account lockout
// To enable password failures to trigger account lockout, change to shouldLockout: true
var result = await SignInManager.PasswordSignInAsync(model.Email, model.Password, model.RememberMe, shouldLockout: false);
switch (result)
{
case SignInStatus.Success:
var user = await UserManager.FindByNameAsync(model.Email);
if (user.LastPasswordChangedDate.AddDays(PasswordExpireDays) < DateTime.UtcNow)
{
return RedirectToAction("ChangePassword", "Manage");
}
else
{
return RedirectToLocal(returnUrl);
}
case SignInStatus.LockedOut:
return View("Lockout");
case SignInStatus.RequiresVerification:
return RedirectToAction("SendCode", new { ReturnUrl = returnUrl, RememberMe = model.RememberMe });
case SignInStatus.Failure:
default:
ModelState.AddModelError("", "Error: Invalid username or password");
return View(model);
}
}


Make sure to update the `LastPasswordChangedDate` when the user successfully updates password, in ManageController, ChangePassword action:


[HttpPost]
[ValidateAntiForgeryToken]
public async Task<ActionResult> ChangePassword(ChangePasswordViewModel model)
{
if (!ModelState.IsValid)
{
return View(model);
}
var result = await UserManager.ChangePasswordAsync(User.Identity.GetUserId(), model.OldPassword, model.NewPassword);
if (result.Succeeded)
{
var user = await UserManager.FindByIdAsync(User.Identity.GetUserId());
if (user != null)
{
user.LastPasswordChangedDate = DateTime.UtcNow;
await UserManager.UpdateAsync(user);

await SignInManager.SignInAsync(user, isPersistent: false, rememberBrowser: false);
}
return RedirectToAction("Index", new { Message = ManageMessageId.ChangePasswordSuccess });
}
AddErrors(result);
return View(model);
}
Reply

« Next Oldest
Next Newest »


Forum Jump:


Users browsing this thread:
1 Guest(s)

©0Day  2016 - 2023 | All Rights Reserved.  Made with    for the community. Connected through