当用户在ASP.NET/ASP.NET MVC中更改密码时，如何使任何自动登录cookie到期？

Question

I use ASP.NET Form Authentication method in my project to keep login information as user id in user's cookie like the below code. It works well without any problem.

FormsAuthentication.SetAuthCookie(userInfo.id.ToString(), model.AutoLogin);

But the problem occurs when user use automatic login and then he change his password. In some site, I see it will force you to re-login when you change password. It's quite easy for forcing current page to log out and re-login again.

But I don't find any nice idea for forcing other auto-login cookie in other browser to login again. I have some quite ugly idea for doing that but I don't like it.

1. Keep latest change password date in user data.

2. Put it in authentication cookie like the following code.

   FormsAuthentication.SetAuthCookie(userInfo.id.ToString() + '|' + userInfo.ChangePasswordDate, model.AutoLogin);

Do you have any better idea for solving this question that work with ASP.NET and ASP.NET MVC?

Thanks,

Answer 1

The authentication cookie contains only the encrypted username. So either you really force the user to re-login by signing him out ( FormsAuthentication.SignOut ) or you do nothing in which case the old cookie is still valid, still authenticated but his password was changed in the datastore so that next time him tries to login he will need to use this new password.