0

I have an asp.net app which needs to log users into Active Directory using forms authentication (windows authentication isn't an option with the given requirements).

I'm saving authentication cookies like so:

if (Membership.ValidateUser(model.UserName, model.Password))
{
    FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe);
}

This works great, except that the cookie authenticates the user even after they change their Active Directory password.

Is there a way to tell if the user's password has changed?

I'm using asp.net MVC3 with .NET 4

What I've Tried

If feel like this code should work, however the HttpWebResponse never contains any cookies. Not quite sure what I'm doing wrong.

HttpWebRequest request = (HttpWebRequest)WebRequest.Create(Request.Url);
request.CookieContainer = new CookieContainer();

HttpWebResponse response = (HttpWebResponse)request.GetResponse();

Cookie authCookie = response.Cookies["AuthCookie"];
if (authCookie.TimeStamp.CompareTo(Membership.GetUser().LastPasswordChangedDate) < 0)
{
    authCookie.Expired = true;
}
Cavyn VonDeylen
  • 4,189
  • 9
  • 37
  • 52

1 Answers1

2

Your code should read

if (Membership.ValidateUser(model.UserName, model.Password))
{
  string userData = DateTime.Now.ToString();

  FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1,
    username,
    DateTime.Now,
    DateTime.Now.AddMinutes(30),
    isPersistent,
    userData,
    FormsAuthentication.FormsCookiePath);

  // Encrypt the ticket.
  string encTicket = FormsAuthentication.Encrypt(ticket);

  // Create the cookie.
  Response.Cookies.Add(new HttpCookie(FormsAuthentication.FormsCookieName, encTicket));
}

Now, when authenticating the user

HttpCookie authCookie = Request.Cookies[FormsAuthentication.FormsCookieName];
FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(authCookie.value);
if (DateTime.Parse(ticket.UserData) > Membership.GetUser().LastPasswordChangedDate)
{
    FormsAuthentication.SignOut();
    FormsAuthentication.RedirectToLoginPage();
}
Ramesh
  • 13,043
  • 3
  • 52
  • 88
  • Thanks, but this still hasn't solved my problem. My issue isn't in creating the cookie, it's being created just fine (verified through Chrome's settings). I just can't retrieve it. Also, your request object I'm assuming is the HttpRequestBase object included with System.Web.Mvc, but that only returns HttpCookies which don't have a TimeStamp property. – Cavyn VonDeylen Oct 09 '12 at 17:41
  • Got it.. Second code piece needs to be updates. Give me some time. – Ramesh Oct 09 '12 at 17:44
  • @CavynVonDeylen Updated. When creating the cookie, we are adding the timestamp as user data. Next time when the request comes to your app, the cookie would be present in request which we are retrieving it back and taking the datetime stored in userdata and comparing with lastpasswordchangedatetime – Ramesh Oct 09 '12 at 17:47
  • Thanks again, I appreciate the help, but I still don't get where your "request" object in the second code block is coming from. HttpWebRequest doesn't have a Cookies property, and HttpRequestBase returns HttpCookie objects, not Cookie objects. – Cavyn VonDeylen Oct 09 '12 at 17:51
  • Sorry, I was not sure about MVC... I think in MVC you can access cookies by Request.Cookies["foo"]; – Ramesh Oct 09 '12 at 17:54