Home/ Questions/Q 9076443
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-16T19:06:30+00:00

I’ve got a ASP.NET MVC web app which uses forms authentication. I’m using ActiveDirectoryMembershipProvider

  • 0

I’ve got a ASP.NET MVC web app which uses forms authentication.

I’m using ActiveDirectoryMembershipProvider to validate users against our domain. 

if (Membership.ValidateUser(m.Username, m.Password))
{

    FormsAuthentication.SetAuthCookie(m.Username, true);

    ....

This means the user gets validated only when they log in.

Problem with that is ofcourse that if the user’s password changes they still remain logged in. Or worse, user leaves our company with a grudge, and they still have access.

I would have thought such a simple use case would have an obvious answer but I’ve been stuck on this for a while now.

I could put the users password in the session and then validate it every time, but that doesn’t feel right.

What is the suggested/correct way of handling this?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The answer is to periodically (every 30 minutes or so) check User.IsApproved and User.LastPasswordChangedDate to make sure the users credentials are still valid.

    To do this you need to manually create the FormsAuthenticationTicket and cookie, rather than using FormsAuthentication.SetAuthCookie.

    Put the date you validated the user inside UserData and compare this against LastPasswordChangedDate.

    I’ve implemented this and it works perfectly.

    More information here

    Check if Active Directory password is different from cookie

    • 0