Suggestion: Add a property on UserAccount to force password change at next login about brockallen.membershipreboot HOT 7 CLOSED

+1
I came to the partial conclusion that there is a process for this using your application. Maybe some discussion is in order to decide if this should be within MembershipReboot. My alternatives are how I plan to handle it.

Alternative for forgotten password: The admin requests a password change on the behalf of the user using the users email address. This will request a validation email to the user and the user clicks on the link to change their password. The admin has no need to enter a new password or know what it is.

Alternative for forcing a password: The code behind in the application could change the password with a unique guid or other random string that no one would know. Then email the user with a change password validation. This would force the user to reset the password and not allow the user to login until they validated.

Alternative for requiring a password change: The application could add a claim to the user account that would set a reset password flag to require a password change and redirect to the change password page until the password was changed.

I am sure Brock will have some feedback on this one.

from brockallen.membershipreboot.

This is an interesting requirement. My only problem is that at the library level there's no way to force the user to do anything -- that's up to the UI or whatever application is using the library. I could add a "MustChangePassword" property on the UserAccount -- would this suffice?

from brockallen.membershipreboot.

Your solution would allow the tracking of the flag easier, but it would be just as easy to create a claim by creating a role called "MustChangePassword" also, so it is up to you whether it is beneficial or not? I would end up doing the same logic whether you make the change or not. Up to you. I do agree with you after working on this, that it should be up to each individual application unless you decided to tie it to logging in successfully.

from brockallen.membershipreboot.

Normally for other info I might suggest a custom claim, but since there's already the concept of "must change password" (or I guess I should say "should") then I don't mind making a dedicated flag in the UserAccount model.

from brockallen.membershipreboot.

Fantastic! I am really liking what you have done here. This has made me realize how tied to Membership I was.
Thank You for making this available and the time spent.

from brockallen.membershipreboot.

Yes. And you already have the password expiry .. could work in a similar way to that.

from brockallen.membershipreboot.

Ok, done.

from brockallen.membershipreboot.