Both old and new password work after the user changes it

I have an ASP.Net 4.0 application that is using Forms Authentication and ActiveDirectoryMembershipProvider. It authenticates against Active Directory running on Windows Server 2开发者_JS百科008 R2.

I use ChangePassword control for changing passwords.

When the user changes the password he can log on for some time with the old password. My client feels this is a security problem with the application. Is there any way to make sure the old password does not work after the user changes it?

Edit : Also, if I do iisreset on the web server, the old password stops working. The password must be cached somewhere in the web app

http://support.microsoft.com/kb/906305/en-us - This applies to Server 2003 SP1+, but probably also applies to Server 2008

I'm not sure if you still need the solution to this problem but it's most likely an issue with your controller not having the registry value OldPasswordAllowedPeriod, or if it does having it set to something like 5 minutes. The article Phil points to (http://support.microsoft.com/kb/906305) outlines how to implement it. Hope this helps