+1-888-365-2779
Try Now
More in this section

Forums / General Discussions / Native Support for Password Expiration

Native Support for Password Expiration

6 posts, 0 answered
  1. David Kintgen
    David Kintgen avatar
    2 posts
    Registered:
    28 Aug 2009
    04 Feb 2014
    Link to this post
    Does Sitefinity support password expiration natively?  For example, we would like to have our user's passwords expire every 90 days and require them to reset.  Is it possible to configure this or is custom code needed?
  2. Stefani Tacheva
    Stefani Tacheva avatar
    718 posts
    Registered:
    09 Sep 2016
    07 Feb 2014
    Link to this post
    Hello,

    We have answered you in the support ticket you have opened. I will share our answer with the community.

    The functionality you require is not available out of the box, so a custom solution needs to be implemented in order to achieve it. I could provide you with a suggestion on how you can achieve this leveraging Sitefinity's capability to customize user profiles and the built in event system which provides easy access to hooks in the core implementation to plug in custom logic.

    You can create a custom field for your user profile of type DateTime. In it you will store the initial date when the password has been created/edited. Next using our EventHub to subscribe to the  ILoginCompletedEvent (fired each time a user has logged in). In this event you can check the custom user profile field's date and compare it to the current date (on which the user has logged in). If the difference is greater than 90 days, logout the user programmatically and redirect it to a page with appropriate message to reset its password. For all this you can use our Security API.

    Regards,
    Stefani Tacheva
    Telerik
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Sitefinity CMS Ideas&Feedback Portal and vote to affect the priority of the items
  3. Tod
    Tod avatar
    3 posts
    Registered:
    26 Feb 2010
    14 Apr 2015 in reply to Stefani Tacheva
    Link to this post

     

    Have a quick question regarding the above suggestion:

    Why is my Response.Redirect being ignored within the ILoginCompletedEvent? And when I say ignored, I mean the code is executing, but Sitefinity is just bringing me to the site root, completely disregarding  the /change-password page.

    If I change the Redirect endResponse to "true", then I am brought back to the login page and you can clearly see that the query string has been updated with "redirect_uri=/change-password", but as a result of ending the response, I am logged out.

    For obvious security reasons, I cannot have an anonymously accessible change password page, but the ILoginCompletedEvent just wont allow a redirection to a secured page.

    What am I missing? Any thoughts?

     

    Telerik.Sitefinity.Services.EventHub.Subscribe<Telerik.Sitefinity.Web.Events.ILoginCompletedEvent>(LoginCompletedEventHandler);

     

     

    private void LoginCompletedEventHandler(Telerik.Sitefinity.Web.Events.ILoginCompletedEvent evt)
    {
        if (evt.LoginResult == Telerik.Sitefinity.Security.UserLoggingReason.Success)
        {
            
            MembershipUser usrInfo = Membership.GetUser(evt.Username);
           
            string redirectUri = "/change-password";
            int daysSincePwdChange = Convert.ToInt32(DateTime.Now.Subtract(usrInfo.LastPasswordChangedDate).TotalDays);
             
            if (daysSincePwdChange > 89)
            {
                 HttpContext.Current.Response.Redirect(redirectUri, false);
            }
             
        }
    }

  4. Rich
    Rich avatar
    24 posts
    Registered:
    22 Oct 2012
    05 Nov 2015
    Link to this post

    So it sounds like we need to create a custom change password form, since the Change Password widget requires the user to be logged in.

    Unfortunately I have not had any luck with logging the user out and redirecting them to a custom change password page.   I'm hitting the Response.Redirect in the code, but login continues on to the Sitefinity dashboard.   FYI - I'm trying to do this for the CMS login.

    // Expire passwords after 90 days
    private void OnLogin_Completed(ILoginCompletedEvent evt)
    {
        if (evt.LoginResult == UserLoggingReason.Success)
        {
            MembershipUser usrInfo = Membership.GetUser(evt.Username);
     
            int daysSincePwdChange = Convert.ToInt32(DateTime.Now.Subtract(usrInfo.LastPasswordChangedDate).TotalDays);
     
            if (daysSincePwdChange >= 90)
            {
                SecurityManager.Logout();
                SecurityManager.DeleteAuthCookies();
     
                HttpContext.Current.Response.Redirect("/CustomChangePassword", false);
            }
        }
    }

  5. Mike
    Mike avatar
    6 posts
    Registered:
    19 May 2015
    03 Dec 2015
    Link to this post

    Hi - Is password expiration being considered as a core feature of Sitefinity?

    mp/m

  6. Svetoslav Manchev
    Svetoslav Manchev avatar
    735 posts
    Registered:
    27 Sep 2016
    29 Dec 2015
    Link to this post
    Hello Mike,

    There is logged a feature request for that functionality:
    http://feedback.telerik.com/Project/153/Feedback/Details/168285-native-configuration-for-password-expiration

    Where you can vote for it. Note that most voted Items are developed with higher priority.

    Regards,
    Svetoslav Manchev
    Telerik
     
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Sitefinity CMS Ideas&Feedback Portal and vote to affect the priority of the items
     
6 posts, 0 answered