Native Support for Password Expiration
Does Sitefinity support password expiration natively? For example, we would like to have our user's passwords expire every 90 days and require them to reset. Is it possible to configure this or is custom code needed?
Hello,
We have answered you in the support ticket you have opened. I will share our answer with the community.
The functionality you require is not available out of the box, so a custom solution needs to be implemented in order to achieve it. I could provide you with a suggestion on how you can achieve this leveraging Sitefinity's capability to customize user profiles and the built in event system which provides easy access to hooks in the core implementation to plug in custom logic.
You can create a custom field for your user profile of type DateTime. In it you will store the initial date when the password has been created/edited. Next using our EventHub to subscribe to the ILoginCompletedEvent (fired each time a user has logged in). In this event you can check the custom user profile field's date and compare it to the current date (on which the user has logged in). If the difference is greater than 90 days, logout the user programmatically and redirect it to a page with appropriate message to reset its password. For all this you can use our Security API.
Regards,
Stefani Tacheva
Telerik
Have a quick question regarding the above suggestion:
Why is my Response.Redirect being ignored within the ILoginCompletedEvent? And when I say ignored, I mean the code is executing, but Sitefinity is just bringing me to the site root, completely disregarding the /change-password page.
If I change the Redirect endResponse to "true", then I am brought back to the login page and you can clearly see that the query string has been updated with "redirect_uri=/change-password", but as a result of ending the response, I am logged out.
For obvious security reasons, I cannot have an anonymously accessible change password page, but the ILoginCompletedEvent just wont allow a redirection to a secured page.
What am I missing? Any thoughts?
Telerik.Sitefinity.Services.EventHub.Subscribe<Telerik.Sitefinity.Web.Events.ILoginCompletedEvent>(LoginCompletedEventHandler);
private void LoginCompletedEventHandler(Telerik.Sitefinity.Web.Events.ILoginCompletedEvent evt) if (evt.LoginResult == Telerik.Sitefinity.Security.UserLoggingReason.Success) MembershipUser usrInfo = Membership.GetUser(evt.Username); string redirectUri = "/change-password"; int daysSincePwdChange = Convert.ToInt32(DateTime.Now.Subtract(usrInfo.LastPasswordChangedDate).TotalDays); if (daysSincePwdChange > 89) HttpContext.Current.Response.Redirect(redirectUri, false); So it sounds like we need to create a custom change password form, since the Change Password widget requires the user to be logged in.
Unfortunately I have not had any luck with logging the user out and redirecting them to a custom change password page. I'm hitting the Response.Redirect in the code, but login continues on to the Sitefinity dashboard. FYI - I'm trying to do this for the CMS login.
// Expire passwords after 90 daysprivate void OnLogin_Completed(ILoginCompletedEvent evt) if (evt.LoginResult == UserLoggingReason.Success) MembershipUser usrInfo = Membership.GetUser(evt.Username); int daysSincePwdChange = Convert.ToInt32(DateTime.Now.Subtract(usrInfo.LastPasswordChangedDate).TotalDays); if (daysSincePwdChange >= 90) SecurityManager.Logout(); SecurityManager.DeleteAuthCookies(); HttpContext.Current.Response.Redirect("/CustomChangePassword", false); Hi - Is password expiration being considered as a core feature of Sitefinity?
mp/m
Hello Mike,
There is logged a feature request for that functionality:
http://feedback.telerik.com/Project/153/Feedback/Details/168285-native-configuration-for-password-expiration
Where you can vote for it. Note that most voted Items are developed with higher priority.
Regards,
Svetoslav Manchev
Telerik