Native Support for Password Expiration

Posted by Community Admin on 03-Aug-2018 17:16

Native Support for Password Expiration

All Replies

Posted by Community Admin on 04-Feb-2014 00:00

Does Sitefinity support password expiration natively?  For example, we would like to have our user's passwords expire every 90 days and require them to reset.  Is it possible to configure this or is custom code needed?

Posted by Community Admin on 07-Feb-2014 00:00

Hello,

We have answered you in the support ticket you have opened. I will share our answer with the community.

The functionality you require is not available out of the box, so a custom solution needs to be implemented in order to achieve it. I could provide you with a suggestion on how you can achieve this leveraging Sitefinity's capability to customize user profiles and the built in event system which provides easy access to hooks in the core implementation to plug in custom logic.

You can create a custom field for your user profile of type DateTime. In it you will store the initial date when the password has been created/edited. Next using our EventHub to subscribe to the  ILoginCompletedEvent (fired each time a user has logged in). In this event you can check the custom user profile field's date and compare it to the current date (on which the user has logged in). If the difference is greater than 90 days, logout the user programmatically and redirect it to a page with appropriate message to reset its password. For all this you can use our Security API.

Regards,
Stefani Tacheva
Telerik

Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Sitefinity CMS Ideas&Feedback Portal and vote to affect the priority of the items

Posted by Community Admin on 14-Apr-2015 00:00

 

Have a quick question regarding the above suggestion:

Why is my Response.Redirect being ignored within the ILoginCompletedEvent? And when I say ignored, I mean the code is executing, but Sitefinity is just bringing me to the site root, completely disregarding  the /change-password page.

If I change the Redirect endResponse to "true", then I am brought back to the login page and you can clearly see that the query string has been updated with "redirect_uri=/change-password", but as a result of ending the response, I am logged out.

For obvious security reasons, I cannot have an anonymously accessible change password page, but the ILoginCompletedEvent just wont allow a redirection to a secured page.

What am I missing? Any thoughts?

 

Telerik.Sitefinity.Services.EventHub.Subscribe<Telerik.Sitefinity.Web.Events.ILoginCompletedEvent>(LoginCompletedEventHandler);

 

 

private void LoginCompletedEventHandler(Telerik.Sitefinity.Web.Events.ILoginCompletedEvent evt)
    if (evt.LoginResult == Telerik.Sitefinity.Security.UserLoggingReason.Success)
    
        
        MembershipUser usrInfo = Membership.GetUser(evt.Username);
       
        string redirectUri = "/change-password";
        int daysSincePwdChange = Convert.ToInt32(DateTime.Now.Subtract(usrInfo.LastPasswordChangedDate).TotalDays);
         
        if (daysSincePwdChange > 89)
        
             HttpContext.Current.Response.Redirect(redirectUri, false);
        
         
    

Posted by Community Admin on 05-Nov-2015 00:00

So it sounds like we need to create a custom change password form, since the Change Password widget requires the user to be logged in.

Unfortunately I have not had any luck with logging the user out and redirecting them to a custom change password page.   I'm hitting the Response.Redirect in the code, but login continues on to the Sitefinity dashboard.   FYI - I'm trying to do this for the CMS login.

// Expire passwords after 90 days
private void OnLogin_Completed(ILoginCompletedEvent evt)
    if (evt.LoginResult == UserLoggingReason.Success)
    
        MembershipUser usrInfo = Membership.GetUser(evt.Username);
 
        int daysSincePwdChange = Convert.ToInt32(DateTime.Now.Subtract(usrInfo.LastPasswordChangedDate).TotalDays);
 
        if (daysSincePwdChange >= 90)
        
            SecurityManager.Logout();
            SecurityManager.DeleteAuthCookies();
 
            HttpContext.Current.Response.Redirect("/CustomChangePassword", false);
        
    

Posted by Community Admin on 03-Dec-2015 00:00

Hi - Is password expiration being considered as a core feature of Sitefinity?

mp/m

Posted by Community Admin on 29-Dec-2015 00:00

Hello Mike,

There is logged a feature request for that functionality:
http://feedback.telerik.com/Project/153/Feedback/Details/168285-native-configuration-for-password-expiration

Where you can vote for it. Note that most voted Items are developed with higher priority.

Regards,
Svetoslav Manchev
Telerik

 
Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Sitefinity CMS Ideas&Feedback Portal and vote to affect the priority of the items
 

This thread is closed