Wednesday, 25 June 2014

Enforce Password Expiration - Sitecore

To enforce the current user to change the password is straightforward and only needs a little coding. Following the following three step will take you through the implementation

  1. Defining when the user should change the password
  2. Create the functionality to handling the current user who tries to log into Sitecore
  3. At the loggingin processor add the processor setting to the functionality at step 2

Defining when the user should change the password

First, I created an item to handle the timespan from when users have to change their password. And also an checkbox to (de-)activate the “Force New Password” functionality.

Create the functionality

Sitecore security model uses the ASP.NET membership. The ASP.NET membership includes different information about authentications of the users – the creation date of the users, last login date, last logout date, but also last password changed date of each user. Knowing this, it is straightforward to implement the “Force New Password” functionality. It only requires a couple of lines of coding.

When authenticating the user logging into Sitecore, the trick is to check the “LastPasswordChangedDate”:


The Codings:

using System;
using System.Web;
using System.Web.Security;
using Sitecore.Data.Items;
using Sitecore.Pipelines.LoggingIn;

namespace MyProject.SitecoreExtensions.Pipelines.LoggingIn
    public class ForceNewPassword
        private Item itmForceNewPasswordSetting =
            Sitecore.Configuration.Factory.GetDatabase("master").GetItem("/sitecore/system/Settings/Security/Security Settings/Force New Password");

        public void Process(LoggingInArgs args)
            if (!IsActivated())

            int monthsToExpire = 0;
                int.TryParse(itmForceNewPasswordSetting["TimeToExpire"], out monthsToExpire);


            MembershipUser currentUser = Membership.GetUser(args.Username);

            if (currentUser != null)
                if ((DateTime.Now.AddMonths(-monthsToExpire)) > currentUser.LastPasswordChangedDate)
                    Sitecore.Diagnostics.Log.Audit(string.Format("Force New Password: User {0}, has been forced to change password", user.UserName), this);

                    //Redirect to Sitecore default Change Password Site

        private bool IsActivated()
            if (itmForceNewPasswordSetting == null)
                return false;

            if (string.IsNullOrEmpty(itmForceNewPasswordSetting["ActivateForcePassword"]))
                return false;
            if (itmForceNewPasswordSetting["ActivateForcePassword"].Equals("0"))
                return false;

            return true;

Add a processor tag to the loggingin processor

The final step is to add the functionality checking whether the current user needs to change the password, into the loggingin processor.

You could do this by adding the processor tag manually directly into the web.config file, but best practice is to include the modifications into a separate include file (stored under “/App_Config/Include” folder):

Notice the changes should be included as the first processor in the loggingin processor (this is done by using the “patch:before” setting).


Test the “Force New Password”

Implementing the above functionality should do the trick … Notice the “Last Password Changed” value.

Before changing the password:

After changing the password:

No comments: