Forums

Not answered Change Password Issue

Stormy

Posted on Jun 15, 2009 (permalink)

I don't know if this is a Sitefinity issue (probably not, since this is all forms authentication) but maybe someone can help me out. When using the changepassword control, the password change works, but I get access denied on protected pages until I log out and re-authenticate. I figured the changepassword control would take care of any changes to my ticket but it doesn't seem to be the case. I also tried some code in the password change event (sample below).

                                    HttpCookie cookie = Response.Cookies[FormsAuthentication.FormsCookieName];         
                            FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(cookie.Value);         
                     
                            var newnewTicket = new FormsAuthenticationTicket(ticket.Version, ticket.Name, ticket.IssueDate,         
                                                                          ticket.Expiration, ticket.IsPersistent, Guid.NewGuid().ToString(),         
                                                                          ticket.CookiePath);         
                            FormsAuthentication.SignOut();         
                            FormsAuthentication.SetAuthCookie(ChangePassword1.UserName, ticket.IsPersistent);         
            		//Also tried this method...
            //var newnewAuthCookie = new HttpCookie(FormsAuthentication.FormsCookieName,         
                            //                                   FormsAuthentication.Encrypt(newTicket));         
                     
                            //Response.Cookies.Add(newAuthCookie);         
                     

Any ideas? Should this just work without re-authenticating?

Georgi Georgi

Posted on Jun 16, 2009 (permalink)

Hi Michael,

I am not sure why you get this behavior. We are using the asp.net changepassword control in the Sitefinity administration (MyProfile) and are not facing this problem. Please take a look at the ~/Sitefinity/Admin/CmsAdmin/MyProfile.aspx and its code-behind. You might also try to change your password via this page, and once you change it, you will still be logged in the Administration which is assumed to be protected area.

On the other hand, the code bellow:
...
FormsAuthentication.SignOut();
...

Doesn't this mean that the user is signed-out, no matter that you set a cookie right after it?

Greetings,
Georgi
the Telerik team

Instantly find answers to your questions on the new Telerik Support Portal.
Check out the tips for optimizing your support resource searches.

Reply

Stormy

Posted on Jul 17, 2009 (permalink)

I've finally had a chance to try a couple things out. First, I stripped the page back to the bare bones:

                    using System;         
            using System.Web.Security;         
            using Telerik.Cms.Web.UI;         
                     
            namespace UserControls.ATCAccountControls         
            {         
                public partial class ChangePassword : CacheSubstitutionUserControl         
                {         
                    public override SubstitutionPageMode PageMode         
                    {         
                        get { return SubstitutionPageMode.Full; }         
                    }         
                     
                    protected void Page_Load(object sender, EventArgs e)         
                    {         
                        ChangePassword1.MembershipProvider = ((FormsIdentity) Page.User.Identity).Ticket.UserData;         
                    }         
                }         
            }         

I also tried using the changepassword via the sitefinity admin (this is out of the box unmodified code). Again, the password was changed, but when I tried to access protected pages, I got the

Server Error in '/' Application.

This type of page is not served.

Description: Thetype of page you have requested is not served because it has beenexplicitly forbidden. Please review the URL below and make surethat it is spelled correctly.

Requested URL: /en/missioncontrol

Version Information: Microsoft .NET Framework Version:2.0.50727.3082; ASP.NET Version:2.0.50727.3082

I haven't tried using it against the Sitefinity provider because we need password changes via AD. I have also tried this with and without the CustomRoleProvider fix (which helped with a lot of unrelated access denied errors). There is no other code running in App_Code, so I don't think anything in there is causing trouble.

Anything else I can try before writing my own changepassword control?

Thanks!

Stormy

Posted on Jul 21, 2009 (permalink)

I finally figured this one out... What seems to be happening is that the FormsAuthenticationTicket is getting updated when the password changes. Unfortunately, the control doesn't seem to update the UserData field, so my MembershipProvider info (in this case, for Active Directory) is gone. Once that's gone, Sitefinity can no longer get the roles from CustomRoleProvider which leaves the user with no roles and no access. To fix this, I added a ChangedPassword event to the login control that creates a new ticket based on the old one:

                            protected void ChangePasssword1_ChangedPassword(object sender, EventArgs e)         
                    {         
                        // After changing the password, The UserData (MembershipProvider) is blank.          
                        // Manually re-issue the forms authentication ticket with correct UserData.         
                        try         
                        {         
                            FormsAuthenticationTicket oldTicket = ((FormsIdentity) Page.User.Identity).Ticket;         
                     
                            if (!string.IsNullOrEmpty(oldTicket.UserData))         
                            {         
                                var ticket = new FormsAuthenticationTicket(oldTicket.Version,         
                                                                           oldTicket.Name,         
                                                                           oldTicket.IssueDate,         
                                                                           oldTicket.Expiration,         
                                                                           oldTicket.IsPersistent,         
                                                                           ChangePassword1.MembershipProvider);         
                     
                                string encryptedTicket = FormsAuthentication.Encrypt(ticket);         
                     
                                var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);         
                     
                                Response.Cookies.Add(cookie);         
                            }         
                        }         
                        catch (Exception ex)         
                        {         
                            // Handle however you like         
                        }         

I haven't bothered to figure out why it gets wiped out - I'm just happy to have it working.

Jason M

Posted on Dec 23, 2009 (permalink)

Glad I found this ticket, saved me quite a bit of time!!

I think this is a "security hole" when you're using a custom forms authentication. To fix mine I used the following:

    
                protected void ChangePassword1_ChangedPassword(object sender, EventArgs e)  
        
                {  
        
                        HttpCookie cookie = this.Response.Cookies[FormsAuthentication.FormsCookieName];  
        
                        Telerik.Security.UserManager.Default.SetAuthenticationCookie(cookie);  
        
                 }

Forums

Not answered Change Password Issue

Server Error in '/' Application.

This type of page is not served.

DevTools for .NET

Kendo UI

Test Studio

Sitefinity

TeamPulse

Call us

Anonymous

About Telerik