---
title: Re-authenticate Before Critical Changes
impact: MEDIUM
impactDescription: prevents unauthorized critical operations
tags: authentication, critical, reauthentication, security, csharp
---

## Re-authenticate Before Critical Changes

Critical actions like changing passwords, emails, or 2FA settings should require re-entering the password or strict re-authentication.

**Incorrect (no verification):**

```csharp
[HttpPost]
public async Task<IActionResult> ChangeEmail(string newEmail)
{
    var user = await _userManager.GetUserAsync(User);
    await _userManager.SetEmailAsync(user, newEmail); // Vulnerable if session hijacked
    return Ok();
}
```

**Correct (verify password):**

```csharp
[HttpPost]
public async Task<IActionResult> ChangeEmail(ChangeEmailModel model)
{
    var user = await _userManager.GetUserAsync(User);
    
    // Check password again
    var passwordCheck = await _userManager.CheckPasswordAsync(user, model.CurrentPassword);
    if (!passwordCheck) 
    {
        return Unauthorized("Invalid password");
    }

    // Proceed with change
    await _userManager.SetEmailAsync(user, model.NewEmail);
    return Ok();
}
```

**Tools:** ASP.NET Identity, Manual Review