I have an ASP.NET MVC web app which requires the user to login with their domain username and password by validating against ActiveDirectoryMembershipProvider.
On login I use ValidateUser(username, password) to validate the user’s credentials, and I then set the forms auth cookie so that in future requests the user is not asked to enter their username and password again
FormsAuthentication.SetAuthCookie(m.Username, true);
This is fine, but I need to periodically re-validate the user to make sure their domain password has not changed, and I don’t want them to have to enter their credentials again.
One way of doing this would just be to store the user’s password in plain text in the session object, or perhaps encrypting it then later decrypting it. Then I could call ValidateUser once more, and log the user out if necessary.
In other web apps where I’ve rolled my own auth I would simply store a hash of the user’s password and compare that to the hash stored in the database.
There doesn’t appear to be a single method on ActiveDirectoryMembershipProvider which would let me do that.
What is the logical thing to do here?
The answer is to periodically (every 30 minutes or so) check User.IsApproved and User.LastPasswordChangedDate to make sure the users credentials are still valid.
To do this you need to manually create the FormsAuthenticationTicket and cookie, rather than using FormsAuthentication.SetAuthCookie.
Put the date you validated the user inside UserData and compare this against LastPasswordChangedDate.
I’ve implemented this and it works perfectly.
More information here
Check if Active Directory password is different from cookie