Home/ Questions/Q 7556205
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-30T11:48:28+00:00

I have a MVC 3 app. There are mainly two zones regarding security. The

  • 0

I have a MVC 3 app. There are mainly two zones regarding security. The first one is mostly to prevent public access, but not really sensitive information. Password strength might be weak since there is not really much harm to do either.

Second zone(Area) is restricted. user must apply for access. If user gets access it gets a certain role(s). So each controller method autorizes the user based on that role.

I want these users to have to change password to a strong password on the next logon before they can go further and access the restricted content.

Example:

User A applies for access.
Access is granted. The password policy for
that user is changed as long as it has access. They MUST
change their password on the next logon, and they cannot change back
to a weaker password as long as they have that role.

Is there any secure way to implement this using the ASP.NET?

Update

I’ve actually used Chris proposed solution and it works, but to handle the verification of the password itself I actually got some inspiration from Micah’s proposed solution too. However, it turns out that overriding MembershipProvider.OnValidatingPassword does imply also having to implement 10 + abstract methods that I really do not need to solve this.

A better solution in my eyes was hooking on to the Membership.ValidatingPassword EVENT. I do this inn App_Start, then I implement my own password validation in the event handler and that solved my problem.

Just to share the solution with you i present it here, toghether with Chris solution this solved my problem and hopefully for someone else too:

    void App_Start()
    {
        //To do custom validation on certain passwords set new event handler
        Membership.ValidatingPassword += Membership_ValidatingPassword;
    }

private void Membership_ValidatingPassword(object sender, ValidatePasswordEventArgs e)
    {
        //If the user is a new user, we let registration happen without strong password
        if (e.IsNewUser) return;


        MembershipUser membershipUser = Membership.GetUser(e.UserName);
        Guid userId = Guid.Parse(membershipUser.ProviderUserKey.ToString());

        //First check if the pwd is strong enough to be flagged, if so we flag it
        //using regex to validate the password (20 char, 2 uppercase so on)
        if (MyValidationClass.IsStrongPassword(e.Password, 20, 2, 4, 1))
        {
            //if the user does not already have a flag we set one
            MyValidationClass.SetStrongPasswordFlag(userId);
        }
        else
        {
            //If the user needs strong pwd, we cancel the operation and throw exception
            if (MyValidationClass.NeedsStrongPassword(e.UserName))
            {
                e.FailureInformation =
                    new MembershipPasswordException("Password does not satisfy reqirements!");
                e.Cancel = true;
            }
            else
            {
                MyValidationClass.RemoveStrongPasswordFlag(userId);
            }
        }
    }
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You could write your own Authorize Attribute to accommodate both. You simply need to then use it on the relevant sections of your application:

    For example:

    public class HasChangedPasswordAttribute : AuthorizeAttribute
{      
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        UserRepository repo = new UserRepository();
        var user = repo.GetCurrentUser();
        bool hasSecurelyChangedPassword = user.HasSecurelyChangedPassword;
        return hasSecurelyChangedPassword;
    }

    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
    {
        filterContext.Result = new RedirectResult("/Account/ChangePassword");
    }
}

    The above will check that the user has securely changed their password. If not it will redirect them to a new page in which to change their password. Once they change it, set the flag as changed.

    You can then use it like this:

    [HasChangedPassword]
[Authorize(Roles="SuperRole")]
public ActionResult MySecureAction()
{
 ...
}

    You could obviously integrate both of these attributes into one, but for the sake of showing the example they are seperated above.

    • 0