I have an asp.net app which needs to log users into Active Directory using forms authentication (windows authentication isn't an option with the given requirements).
I'm saving authentication cookies like so:
if (Membership.ValidateUser(model.UserName, model.Password))
{
FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe);
}
This works great, except that the cookie authenticates the user even after they change their Active Directory password.
Is there a way to tell if the user's password has changed?
I'm using asp.net MVC3 with .NET 4
What I've Tried
If feel like this code should work, however the HttpWebResponse never contains any cookies. Not quite sure what I'm doing wrong.
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(Request.Url);
request.CookieContainer = new CookieContainer();
HttpWebResponse response = (HttpWebResponse)request.GetResponse();
Cookie authCookie = response.Cookies["AuthCookie"];
if (authCookie.TimeStamp.CompareTo(Membership.GetUser().LastPasswordChangedDate) < 0)
{
authCookie.Expired = true;
}