ASP.NET Membership Tip: Requiring New Users To Change Their Password When Logging On For The First Time
Most Internet-facing websites that support user accounts allow visitors to register an account on their own. Take a site like Facebook, for example. A visitor who wishes to create a new account may do so by visiting the registration page, choosing a username and password, and entering their email address. Implementing such a workflow in an ASP.NET application is relatively straightforward: enable Membership and then create a registration web page, using a CreateUserWizard control to collect user input and create the new account. Out of the box, the CreateUserWizard control prompts a registering user for their username, password, email address, and security question and answer, and then creates a new account and signs the user in once the process completes.
Like the othe Login-related Web controls, the CreateUserWizard can be customized both in its appearance and behavior. There are articles on 4Guys, like Customizing the CreateUserWizard Control, that show how to configure the CreateUserWizard control to include additional questions to the registering user. Examining ASP.NET's Membership, Roles, and Profile - Part 11 explores how to verify a new user's email address by requiring them to click on a link sent in an email message before being signing in for the first time. It's also possible to use the CreateUserWizard control to create user accounts for other people. This is useful for websites that don't allow anonymous users to register, but rather require that the site's administrators manually create each user account.
I recently got an email from a reader who had a site where user accounts were created by a site administrator. Upon creating the account, the new user would receive an email with the username and password the administrator chose for them, along with a link to the sign in page. What this reader wanted to do was require these new users to immediately change their password after signing in for the first time. This functionality is easy to implement with a slight enhancement to a previous article of mine.
Examining ASP.NET's Membership, Roles, and Profile - Part 16 shows how to set up a password expiry policy for an ASP.NET application that uses Membership. In a nutshell, the Membership system exposes a particular user's last password changed date/time via the MembershipUser class's LastPasswordChangedDate property. To quote from the article: “This property is set to the current date and time when the user account is first created or whenever the user changes her password.”
Part 16 shows how to create a page where the user can change their password as well as how to determine if the user's password has expired when they sign on. This latter task is accomplished by creating an event handler for the Login control's Authenticate event and verifying that the number of days since the user last changed their password has not exceeded the password expiry window:
Protected Sub myLogin_Authenticate(ByVal sender As Object, ByVal e As System.Web.UI.WebControls.AuthenticateEventArgs) Handles myLogin.Authenticate
'Are the credentials valid?
If Membership.ValidateUser(myLogin.UserName, myLogin.Password) Then
'Has the password expired?
Dim usrInfo As MembershipUser = Membership.GetUser(myLogin.UserName)
Dim daysSincePwdChange As Integer = Convert.ToInt32(DateTime.Now.Subtract(usrInfo.LastPasswordChangedDate).TotalDays)
If daysSincePwdChange > SecurityUtils.DefaultPasswordExpiryInDays Then
'Password expired, send user to change password
Response.Redirect("~/ChangePassword.aspx?UserName=" & Server.UrlEncode(myLogin.UserName))
e.Authenticated = True 'Credentials valid & password is current
e.Authenticated = False 'Invalid!
To force new users to change their password upon signing in for the first time, simply add a condition to the If statement to check whether the user's CreationDate and LastPasswordChangedDate properties are one in the same:
If daysSincePwdChange > SecurityUtils.DefaultPasswordExpiryInDays OrElse userInfo.CreationDate = userInfo.LastPasswordChangedDate Then