Last post Aug 24, 2018 02:24 AM by Yuki Tao
Aug 22, 2018 07:35 PM|asif iqbal|LINK
Aug 22, 2018 07:56 PM|mgebhard|LINK
How to implement Password expiration MVC 4 using Simple membership? My current project has implemented security using simple membership but the password expiration has not been implemented any ideas?
First determine how long a password is valid. Then store this value in configuration or a table. When the user logs in fetch the date the password was created. If you do not have this field then you'll need to add it to your user table. If password create
date is greater than the current date then the password has expired.
That's the general design idea. Form here should be able to start writing code to meet the requirements.
Aug 22, 2018 08:08 PM|PatriceSc|LINK
It seems you have https://docs.microsoft.com/en-us/previous-versions/aspnet/web-frameworks/gg548287(v=vs.111) already (or especially for old stuff give
the full name including the namespace so that we are 100% sure of what you are using).
If confirmed it seems you could include a check when the user logs or maybe as gloabl filter if you want to force a password change (of course you'll override this filfer on the password change page).
Aug 22, 2018 08:29 PM|asif iqbal|LINK
Thank you for your response.
I went through the entire documentation of Attributes/methods available for simple membership. which includes the method you have suggested.
I had modified my code to check the last password changed date and then to force the user to change their password.
However, I would like to know whats the best practice to implement something like this.
Thanks in advance
Aug 22, 2018 09:13 PM|PatriceSc|LINK
From which point of view? IMO the worst is to add a bit of complexity by following a "best practice" without ever taking the advantage that comes with it.
See what make sense for you. For example you have https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
Following the same idea I saw once that most browser vendors removed the ability to prevent autocompletion for passwords. The idea is that if all web sites are doing this, users must remember all their passwords and they'll end up in using the same everywhere
or simpler passwords. So it could be counter productive compared with just letting them to use the browser password manager.
A trend is also to detect and report unusual activity.
Aug 23, 2018 03:20 PM|asif iqbal|LINK
Thank you for your response...
The reason i had asked this question was, We were in the process of upgrading our security to asp.net identity. Things changed and we never got that done.
So currently, we have simple membership implementation of security and most of all the functionality of it is already there but for some reason or may be the client requirement didn't exist at that point of time. The password expire functionality is not
there in our application. Now that client seems to want that functionality without upgrading the security.
And i tried looking for the documentation or some kind of lead on this, couldn't find anywhere. Hopefully now you understand our situation here.
If you could help with the implementation part of it that would be great.
Thanks again for your help!
Aug 23, 2018 06:17 PM|asif iqbal|LINK
Most probably i need a filter to force the user to change their password. Please let me know if you could guide me with some code samples to implement this.
Aug 24, 2018 02:24 AM|Yuki Tao|LINK
Hi asif iqbal,
Membership doesn't have out of the box support for it, but you can achieve it.
Please follow this article from Scott Mitchel.