password expiration policy for already logged in users
https://stackoverflow.com/questions/11799781
-
24-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I want to use password expiration policy. For users who want to login into the website we can check the password on authenticate event of login control. But what about users who has already logged in and won't be cached by login page. In this question, it is suggested that handling HttpApplication.PostAuthenticateRequest event that is not a good approach.
I'm thinking about handling session_start() event. For each user this fires once and we can check if user password is current or not. But I don't know if an already logged in user visits th site after some days would this event fires or not?
Solution
Are you sure you want to log users out just because the password has expired? The logon cookie expiration and password expiration are separate concerns.
I don't see anything wrong in maintaing the login cookie until it expires by itself and then forcing the user to change his/her password upon next logon. Just make sure you don't issue cookies with too long expiration period and sooner or later all your users will have to relogin. And this is where you catch possible password expiration.
Note also, that checking the expiration on each request (it doesn't matter if it is PostAuthenticate or PreHandlerExecute) could be just impossible. If your site relies on external authentication source, you just can't go there and check the password expiration. Imagine asking Google or Facebook (if your users authenticate there) whether the password expired or not. It is just not easily possible (or not possible at all).
