1

I've got a ASP.NET MVC web app which uses forms authentication.

I'm using ActiveDirectoryMembershipProvider to validate users against our domain. 

if (Membership.ValidateUser(m.Username, m.Password))
{

    FormsAuthentication.SetAuthCookie(m.Username, true);

    ....

This means the user gets validated only when they log in.

Problem with that is ofcourse that if the user's password changes they still remain logged in. Or worse, user leaves our company with a grudge, and they still have access.

I would have thought such a simple use case would have an obvious answer but I've been stuck on this for a while now.

I could put the users password in the session and then validate it every time, but that doesn't feel right.

What is the suggested/correct way of handling this?

NoPyGod
  • 4,905
  • 3
  • 44
  • 72

2 Answers2

1

The typical solution is to force log out when users unsubscribes from the service or less commonly when they change password. Use this method:

    FormsAuthentication.SignOut();
    FormsAuthentication.RedirectToLoginPage();

If the user can be deactivated outside of the app (i.e. Active Directory), the typical practice is to rely on the session time-out and perhaps ask for the credentials once more for critical operations. If you absolutely cannot allow the deactivated user to work while the session is still active, then yes, you'll have to check the credentials on every request. Since storing the password in the app is a very bad idea, it means you'll have to ask for credentials on each request which arguably is an even worse idea.

As for the password change, it normally doesn't modify the user's permissions so it should be harmless to allow for them to continue working.

Serge Belov
  • 5,633
  • 1
  • 31
  • 40
  • So you're saying I should check the user's password is correct on every request and then log the user out when the password has changed? Those ActiveDirectoryMembershipProvider.ValidateUser calls must be somewhat expensive though... – NoPyGod Nov 30 '12 at 04:15
  • @NoPyGod What I mean is you should sign them out when they change the password or unsubscribe. Other than that you only have to check the password once, set the cookie and that's it. This is the normal way of working with Form Authentication. A – Serge Belov Nov 30 '12 at 04:18
  • Active directory doesn't notify my web app when the user's password changes, so where am I going to make the call to SignOut()? I'm not sure you understand what I'm getting at here, have you ever used ActiveDirectoryMembershipProvider? – NoPyGod Nov 30 '12 at 04:20
  • @NoPyGod OK, I incorrectly assumed you actually provide your users means to change the AD password and deactivate themselves. The key and not obvious piece of information is that the users are managed completely outside of your app. I've updated the answer accordingly. – Serge Belov Nov 30 '12 at 04:28
1

The answer is to periodically (every 30 minutes or so) check User.IsApproved and User.LastPasswordChangedDate to make sure the users credentials are still valid.

To do this you need to manually create the FormsAuthenticationTicket and cookie, rather than using FormsAuthentication.SetAuthCookie.

Put the date you validated the user inside UserData and compare this against LastPasswordChangedDate.

I've implemented this and it works perfectly.

More information here

Check if Active Directory password is different from cookie

Community
  • 1
  • 1
NoPyGod
  • 4,905
  • 3
  • 44
  • 72