使用global.asax Application_PostAuthenticateRequest来管理密码到期

时间:2014-09-19 16:00:45

标签: vb.net forms-authentication

Visual Studio 2013,VB.NET 4.0,AJAXControlToolkit 4.1.7.930

我的Global.asax中有以下代码用于验证我网站上的网页以及强制更改密码。

Sub Application_PostAuthenticateRequest(ByVal sender As Object, ByVal e As EventArgs)

    ' only want to evaluate stuff that is relevant to security
    If Not Request.Path.EndsWith("About.aspx") _
        And Not Request.Path.EndsWith(".css") _
        And Not Request.Path.EndsWith(".jpg") _
        And Not Request.Path.EndsWith(".gif") _
        And Not Request.Path.EndsWith(".png") Then

        If Request.AppRelativeCurrentExecutionFilePath = "~/" Then
            HttpContext.Current.RewritePath("Login.aspx")
        End If

        ' Check if there password has expired or they are a brand new user,
        '  if so force a password change
        If User.Identity.IsAuthenticated Then

            ' user authenticated

            Dim Usr = Membership.GetUser()
            Dim PasswordExpiryDays As Int16 = ConfigurationManager.AppSettings("PasswordExpiryDays")

            If Not Usr Is Nothing Then

                ' was the last time the password changed the date the account was created?
                ' Or is it expired?    
                If Usr.LastPasswordChangedDate.AddDays(PasswordExpiryDays) < Now _
                        Or Usr.LastPasswordChangedDate = Usr.CreationDate Then

                    'they need to change their password, 
                    '  make sure we aren't on a ChangePassword page already!
                    If Not Request.Path.EndsWith("ChangePassword.aspx") Then

                        ' since users will already be logged in if they try to do a normal PasswordChange.aspx
                        ' we can assume that all failed authentications need to go to the Login process
                        '  (and go through the 'Check for Application Invites' process)
                        Try
                            Server.Transfer("~/LoginChangePassword.aspx")
                        Catch ex As Exception

                            ' if the server.transfer fails, try response.redirect
                            Response.Redirect("~/LoginChangePassword.aspx")
                        End Try


                    End If

                Else
                    ' Authenticated but don't need to change their password.
                End If
            End If

        Else
            ' user is not authenticated, let Membership handle getting them logged in.

        End If
    End If
End Sub

除了这种情况,一切都很好: 如果我使用过期的密码登录,我将被重定向到LoginChangePassword.aspx ...这是预期的。此页面有一个asp:ChangePassword控件。如果用户在第一次尝试时成功更改了密码,则可以继续进入网站。如果由于某种原因用户刷新页面,他们会收到错误,并且不再有任何作用。

特别是Chrome会报告错误,例如:大量的“意外令牌&lt;”错误,但令人感兴趣的是“ASP.NET Ajax客户端框架无法加载。”。我能够跟踪它,因为我在Application_PostAuthenticateRequest中的代码正在捕获ScriptResource.axd和WebResource.axd文件的处理并重定向回LoginChangePassword.aspx页面(我正在使用的那个页面!)。为什么它第二次产生错误,我不知道。

但我确实找到了“修复”它的方法。在开放的IF语句中,如果我也跳过处理ScriptResource.axd和WebResource.axd文件,一切正常。

所以我的问题是,我是否遗漏了有关文件安全性和.axd文件的问题?是否可以继续忽略经过身份验证的用户是否正在处理这些.axd文件?

由于

1 个答案:

答案 0 :(得分:0)

.axd文件是脚本资源,因此为了进行可靠的检查,您只应对以下类型的文本/ html进行重定向

如果req.AcceptTypes IsNot Nothing and req.AcceptTypes.Length&gt; 0 AndAlso req.AcceptTypes(0)=“text / html”然后       你的东西在这里    结束如果

相关问题
最新问题