+1-888-365-2779
Try Now
More in this section

Forums / Security / Change Password Issue

Change Password Issue

5 posts, 0 answered
  1. IT
    IT avatar
    52 posts
    Registered:
    30 Sep 2008
    15 Jun 2009
    Link to this post
    I don't know if this is a Sitefinity issue (probably not, since this is all forms authentication) but maybe someone can help me out.  When using the changepassword control, the password change works, but I get access denied on protected pages until I log out and re-authenticate.  I figured the changepassword control would take care of any changes to my ticket but it doesn't seem to be the case.  I also tried some code in the password change event (sample below).

                    HttpCookie cookie = Response.Cookies[FormsAuthentication.FormsCookieName]; 
                    FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(cookie.Value); 
     
                    var newnewTicket = new FormsAuthenticationTicket(ticket.Version, ticket.Name, ticket.IssueDate, 
                                                                  ticket.Expiration, ticket.IsPersistent, Guid.NewGuid().ToString(), 
                                                                  ticket.CookiePath); 
                    FormsAuthentication.SignOut(); 
                    FormsAuthentication.SetAuthCookie(ChangePassword1.UserName, ticket.IsPersistent); 
    //Also tried this method...
    //var newnewAuthCookie = new HttpCookie(FormsAuthentication.FormsCookieName, 
                    //                                   FormsAuthentication.Encrypt(newTicket)); 
     
                    //Response.Cookies.Add(newAuthCookie); 
     

    Any ideas? Should this just work without re-authenticating?
  2. Georgi
    Georgi avatar
    3583 posts
    Registered:
    28 Oct 2016
    16 Jun 2009
    Link to this post
    Hi Michael,

    I am not sure why you get this behavior. We are using the asp.net changepassword control in the Sitefinity administration (MyProfile) and are not facing this problem. Please take a look at the ~/Sitefinity/Admin/CmsAdmin/MyProfile.aspx and its code-behind. You might also try to change your password via this page, and once you change it, you will still be logged in the Administration which is assumed to be protected area.

    On the other hand, the code bellow:
    ...
    FormsAuthentication.SignOut();
    ...

    Doesn't this mean that the user is signed-out, no matter that you set a cookie right after it?

    Greetings,
    Georgi
    the Telerik team

    Instantly find answers to your questions on the new Telerik Support Portal.
    Check out the tips for optimizing your support resource searches.
  3. IT
    IT avatar
    52 posts
    Registered:
    30 Sep 2008
    17 Jul 2009
    Link to this post
    I've finally had a chance to try a couple things out.  First, I stripped the page back to the bare bones:

    using System; 
    using System.Web.Security; 
    using Telerik.Cms.Web.UI; 
     
    namespace UserControls.ATCAccountControls 
        public partial class ChangePassword : CacheSubstitutionUserControl 
        { 
            public override SubstitutionPageMode PageMode 
            { 
                get { return SubstitutionPageMode.Full; } 
            } 
     
            protected void Page_Load(object sender, EventArgs e) 
            { 
                ChangePassword1.MembershipProvider = ((FormsIdentity) Page.User.Identity).Ticket.UserData; 
            } 
        } 

    I also tried using the changepassword via the sitefinity admin (this is out of the box unmodified code).  Again, the password was changed, but when I tried to access protected pages, I got the 

    Server Error in '/' Application.

    This type of page is not served.

    Description: Thetype of page you have requested is not served because it has beenexplicitly forbidden.     Please review the URL below and make surethat it is spelled correctly.

    Requested URL: /en/missioncontrol


    Version Information: Microsoft .NET Framework Version:2.0.50727.3082; ASP.NET Version:2.0.50727.3082              

    I haven't tried using it against the Sitefinity provider because we need password changes via AD. I have also tried this with and without the CustomRoleProvider fix (which helped with a lot of unrelated access denied errors). There is no other code running in App_Code, so I don't think anything in there is causing trouble.

    Anything else I can try before writing my own changepassword control?

    Thanks!
  4. IT
    IT avatar
    52 posts
    Registered:
    30 Sep 2008
    21 Jul 2009
    Link to this post
    I finally figured this one out... What seems to be happening is that the FormsAuthenticationTicket is getting updated when the password changes.  Unfortunately, the control doesn't seem to update the UserData field, so my MembershipProvider info (in this case, for Active Directory) is gone.  Once that's gone, Sitefinity can no longer get the roles from CustomRoleProvider which leaves the user with no roles and no access.  To fix this, I added a ChangedPassword event to the login control that creates a new ticket based on the old one:

            protected void ChangePasssword1_ChangedPassword(object sender, EventArgs e) 
            { 
                // After changing the password, The UserData (MembershipProvider) is blank.  
                // Manually re-issue the forms authentication ticket with correct UserData. 
                try 
                { 
                    FormsAuthenticationTicket oldTicket = ((FormsIdentity) Page.User.Identity).Ticket; 
     
                    if (!string.IsNullOrEmpty(oldTicket.UserData)) 
                    { 
                        var ticket = new FormsAuthenticationTicket(oldTicket.Version, 
                                                                   oldTicket.Name, 
                                                                   oldTicket.IssueDate, 
                                                                   oldTicket.Expiration, 
                                                                   oldTicket.IsPersistent, 
                                                                   ChangePassword1.MembershipProvider); 
     
                        string encryptedTicket = FormsAuthentication.Encrypt(ticket); 
     
                        var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket); 
     
                        Response.Cookies.Add(cookie); 
                    } 
                } 
                catch (Exception ex) 
                { 
                    // Handle however you like 
                } 

    I haven't bothered to figure out why it gets wiped out - I'm just happy to have it working.
  5. Jason M
    Jason M avatar
    108 posts
    Registered:
    15 Jan 2007
    23 Dec 2009
    Link to this post

    Glad I found this ticket, saved me quite a bit of time!!

    I think this is a "security hole" when you're using a custom forms authentication.  To fix mine I used the following:

        protected void ChangePassword1_ChangedPassword(object sender, EventArgs e)  
        {  
                HttpCookie cookie = this.Response.Cookies[FormsAuthentication.FormsCookieName];  
                Telerik.Security.UserManager.Default.SetAuthenticationCookie(cookie);  
         } 


    J
Register for webinar
5 posts, 0 answered