I am pretty new to the Membership API and the Login controls of ASP.NET 2.0. I have lots of this working now but I'd like to extend it a bit.

I would like to know how to cause the successful creation of a new user to result in a "confirmation email" to the email address he provided to my CreateUserWizard webcontrol. Despite the richness of this control, I cannot see any property that supplies this functionality and I've been unable to locate any example of how to do this as part of the use of the CreateUserWizard "code-behind".

I'm visualizing an email sent out which "welcomes the user,etc." and provides a URL to click on to take them back to a "continuation" page on my site with a Querystring that identifies their userid.  Then on the "continuation" page, I would want to mark their profile as being "confirmed" or "approved" and give them a chance to add to their profile information.

Does anyone know of a place where this technique is described for these new webcontrols?

I cannot find much at all about the whole concept of a "confirmation email" and I am wondering if it is no longer considered a "best practice". Many sites I've used seem to use it ostensibly to ensure that the person who supplied the email address at time of account creation is in fact the owner of that email account and that no typos occurred in the txtEmail text box, etc.  

See the following -

http://msdn2.microsoft.com/en-us/library/system.web.ui.webcontrols.createuserwizard.sendingmail.aspx.

Consider in tandem with this -

Disable User Account Created with the wizard

Protected Sub CreateUserWizard1_CreatedUser(ByVal sender As Object, ByVal e As System.EventArgs) Handles CreateUserWizard1.CreatedUser

        ' Set Account to IsApproved=False

        Dim Usr As MembershipUser = Membership.GetUser(Me.CreateUserWizard1.UserName, True)

        Usr.IsApproved = False

        Membership.UpdateUser(Usr)

    End Sub

Provide email content – as per referenced link

Protected Sub CreateUserWizard1_SendingMail(ByVal sender As Object, ByVal e As System.Web.UI.WebControls.MailMessageEventArgs) Handles CreateUserWizard1.SendingMail

        ' provide a link in the email which opens a page that enables the account. Provide param as expected by confirmation page

    End Sub

On page as loaded from email – required param is username with valid username

Private Sub EnableAccount()

        Dim UserName As String = Request.Params("username")

        If Not String.IsNullOrEmpty(UserName) Then

            Dim usr As MembershipUser = Membership.GetUser(UserName, True)

            If Not Nothing Is usr Then

                usr.IsApproved = True

                Membership.UpdateUser(usr)

            End If

            ' page would have links to other site areas

        End If

    End Sub

There are lots of posts out there on using the system.net.mail namespace classes.

Regards,

Martin.

Thank you very much, Martin. This has helped enormously.

What about "best practice" part of the question? Would you agree that sending a confirmation email is and remains a "best practice"? Any thoughts or links you know of where this is discussed?

Thanks again. 

Not sure if this would be a subject for discussion on best practices. However, if you are sending any newsletters/ emails from your site you would wish to ensure that the recipient has the option to remove themselves from the email list via simple URL.

The rest of it, basic user email confirmation is based on architecure and business drivers

- does the business care if the person uses a made up email? Are distibuted emails mission critical etc.

- is it neccessary for resetting a users password?

If passwords are not stored with reversible encruption and users and have not provided a secret question and answer then they will have no way to re-enable their account. When not using reversible password encryption you provided a page with code much like that above where you reset the users password to a new value and email it to them. They then login with the new password and are forced to change it to one that suits them.

I suppose it comes down to architecture and business drivers.

There are other considerations such as workoload on your email servers sending emails to non-existent email addresses and the additional workload involved at managing this; especially with public users creating additional accounts because they can't remember there login details or provided invalid email addresses.

Just my opinions.

Glad to have been of help.

Martin.

Hi,

 Im new to asp.net. Can you be more detailed about the code. I use your code but i cannot made the "link in the email which opens a page that enables the account. Provide param as expected by confirmation page"

What will be in the confirmation page that the confirmation email send to? 

Can you help me?

 Thanks

Hopefully, this code will help you a bit (this works for me). It may be more than you need to see but it is also pretty complete too:

Filename:    CreateAccount.aspx

 <%@ Page Language="VB" MasterPageFile="~/home.master" AutoEventWireup="false" CodeFile="CreateAccount.aspx.vb" Inherits="CreateAccount" title="Untitled Page" %>
<asp:Content ID="Content1" ContentPlaceHolderID="ContentPlaceHolder1" Runat="Server">
    <asp:CreateUserWizard ID="CreateUserWizard1" runat="server"
            CreateUserButtonText="Create new account"
            maildefinition-bodyfilename="CreateAccountMailfile.txt"
            maildefinition-from="noreply@cbmiweb.com"
            onsendingmail="Createuserwizard1_SendingMail"
            UserNameLabelText="UserName:"
            UserNameRequiredErrorMessage="UserName is required. Please make one you can remember. "
            BackColor="#F7F6F3" BorderColor="#E6E2D8" BorderStyle="Solid" BorderWidth="1px"
            CompleteSuccessText="Your account has been successfully created.
            We have sent you an email to verify your email address.
            Please check your email for our message now.
            Click on the link there to return to our web site and then Login."
            ContinueDestinationPageUrl="~/Default.aspx" Font-Names="Verdana" Font-Size="0.8em">
        <WizardSteps>
            <asp:CreateUserWizardStep runat="server" Title="Create a new ITMO account">
                <CustomNavigationTemplate>
                    <table border="0" cellspacing="5" style="width: 100%; height: 100%;">
                        <tr align="right">
                            <td align="center" colspan="0">
                                <asp:Button ID="StepNextButton" runat="server" BackColor="#FFFBFF" BorderColor="#CCCCCC"
                                    BorderStyle="Solid" BorderWidth="1px" CommandName="MoveNext" Font-Names="Verdana"
                                    ForeColor="#284775" Text="Create new account" ValidationGroup="CreateUserWizard1" />
                                <asp:Button ID="btnHome" runat="server" BackColor="#FFFBFF" BorderColor="#CCCCCC"
                                    OnClick="btnReturn_Click" Visible="true"
                                    BorderStyle="Solid" BorderWidth="1px" CommandName="Home" Font-Names="Verdana"
                                    ForeColor="#284775" Text="Cancel" ValidationGroup="CreateUserWizard1"/>
                            </td>
                        </tr>
                    </table>
                </CustomNavigationTemplate>
            </asp:CreateUserWizardStep>
            <asp:CompleteWizardStep runat="server">
                <ContentTemplate>
                    <table border="0" style="font-size: 100%; font-family: Verdana">
                        <tr>
                            <td align="center" colspan="2" style="font-weight: bold; color: white; background-color: #5d7b9d">
                                Complete</td>
                        </tr>
                        <tr>
                            <td>
                                Your account has been successfully created. We have sent you an email to verify
                                your email address. Please check your email for our message now. Click on the link
                                there to return to our web site and then Login.</td>
                        </tr>
                        <tr>
                            <td align="center" colspan="2">
                                <asp:Button ID="Button1" runat="server" BackColor="#FFFBFF" BorderColor="#CCCCCC"
                                    BorderStyle="Solid" BorderWidth="1px" CausesValidation="False" CommandName="Continue"
                                    Font-Names="Verdana" ForeColor="#284775" Text="Continue" ValidationGroup="CreateUserWizard1" />&nbsp;
                            </td>
                        </tr>
                    </table>
                </ContentTemplate>
            </asp:CompleteWizardStep>
        </WizardSteps>
        <SideBarStyle BackColor="#5D7B9D" BorderWidth="0px" Font-Size="0.9em" VerticalAlign="Top" />
        <TitleTextStyle BackColor="#5D7B9D" Font-Bold="True" ForeColor="White" />
        <SideBarButtonStyle BorderWidth="0px" Font-Names="Verdana" ForeColor="White" />
        <NavigationButtonStyle BackColor="#FFFBFF" BorderColor="#CCCCCC" BorderStyle="Solid"
            BorderWidth="1px" Font-Names="Verdana" ForeColor="#284775" />
        <HeaderStyle BackColor="#5D7B9D" BorderStyle="Solid" Font-Bold="True" Font-Size="0.9em"
            ForeColor="White" HorizontalAlign="Center" />
        <CreateUserButtonStyle BackColor="#FFFBFF" BorderColor="#CCCCCC" BorderStyle="Solid"
            BorderWidth="1px" Font-Names="Verdana" ForeColor="#284775" />
        <ContinueButtonStyle BackColor="#FFFBFF" BorderColor="#CCCCCC" BorderStyle="Solid"
            BorderWidth="1px" Font-Names="Verdana" ForeColor="#284775" />
        <StepStyle BorderWidth="0px" />
        <MailDefinition BodyFileName="CreateAccountMailfile.txt" From="noreply@your_emailserver.com">
        </MailDefinition>
    </asp:CreateUserWizard>
</asp:Content>
--------------------------------------------------------------------------------------------------------------------
Filename: CreateAccount.aspx.vb

-------------------------------------------------------------------------------------------------------------------- 

Partial Class CreateAccount
    Inherits System.Web.UI.Page
    Protected Sub CreateUserWizard1_CreatedUser(ByVal sender As Object, ByVal e As System.EventArgs) Handles CreateUserWizard1.CreatedUser
        ' Set Account to IsApproved=False
        Dim Usr As MembershipUser = Membership.GetUser(Me.CreateUserWizard1.UserName, True)
        Usr.IsApproved = False
        Membership.UpdateUser(Usr)
    End Sub

    Protected Sub Createuserwizard1_SendingMail(ByVal sender As Object, ByVal e As MailMessageEventArgs)
        ' Set MailMessage fields.
        e.Message.IsBodyHtml = False
        e.Message.Subject = "Welcome to ITMO"
        ' See Createuserwizard1.maildefinition.bodyfilename to find CreateAccountMailfile.txt
        ' Replace placeholder text in message body with information provided by the user.
        ' http://<%DomainName%><%VirtualDirectory%>/Default.aspx?ID=<%UserLogsOnAs%>
        e.Message.Body = e.Message.Body.Replace("<%PasswordQuestion%>", CreateUserWizard1.Question)
        e.Message.Body = e.Message.Body.Replace("<%PasswordAnswer%>", CreateUserWizard1.Answer)
        e.Message.Body = e.Message.Body.Replace("<%DomainName%>", Request.ServerVariables("SERVER_NAME"))
        e.Message.Body = e.Message.Body.Replace("<%VirtualDirectory%>", Request.ApplicationPath)
        e.Message.Body = e.Message.Body.Replace("<%UserLogsOnAs%>", CreateUserWizard1.UserName)
    End Sub
End Class
 

--------------------------------------------------------------------------------------------------------------------

Filename: CreateAccountMailfile.txt

--------------------------------------------------------------------------------------------------------------------

 Your account was set up on our site with the following:

    Username:   <%UserName%>

To reset your password, you must answer the following question you established:

    Password Question: <%PasswordQuestion%>  
    Password Answer:   <%PasswordAnswer%>  
    
Please complete your registration by clicking on the following link which will serve to validate your
email address and give you an opportunity to complete your Profile information which we require:

http://<%DomainName%><%VirtualDirectory%>/Default.aspx?ID=<%UserLogsOnAs%>

Thank you for creating an account with our web site.

Thanks!

I'll try it tonight and hit you up with my feedback.

Ok the email works with the link but what i have to do when the user get back to default.aspx???

How i validate the user? On my default.aspx there's nothing that can do that at this time.

Sorry guys but im a newb in asp.net

;-(

In your web config ensure you have the defaulturl attribute set for the Forms Authentication "default.aspx".

Hi,

Im a little bit confused.

Mokeefe, can you put the entire code exactly as i have to use it please.

Give the entire explanation.

Thanks

In the body of the email is a link that when clicked on will bring the user back to - let's say - your default.aspx page. A querystring value in the link associates this particular user with the confirmation that the email address supplied during CreateAccount is the correct email address.

In my implementation of this, I needed to provide the login control stuff on at least 2 different pages so for this reason I packaged the login stuff in a user control I called LoginMechanism.ascx. So in default.aspx I included the user control with:

<%@ Register src="UILayer/UserControls/LoginMechanism.ascx" TagName="LoginMechanism"
    TagPrefix="uc1" %>
 

..then further down the the default.aspx page I put this in a table cell:

       <asp:TableCell VerticalAlign="Top">
            <uc1:LoginMechanism id="LoginMechanism1" runat="server">
            </uc1:LoginMechanism><br />
       </asp:TableCell>

 So my default.aspx.vb is very small - essentially nothing - but my LoginMechanism.ascx.vb is where all the work is done:

 Imports System.Web
Partial Class _LoginMechanism
    Inherits System.Web.UI.UserControl
    Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
        Dim myLogin As Login = CType(Me.LoginView1.FindControl("Login1"), Login)
        If myLogin IsNot Nothing Then
            Dim myButton As Button = CType(myLogin.FindControl("LoginButton"), Button)
            If myButton IsNot Nothing Then
                Me.Page.Form.DefaultButton = myButton.UniqueID
                Dim myFoundTextBox As TextBox = CType(myLogin.FindControl("Password"), TextBox)
                myFoundTextBox.Attributes.Add("onclick", "document.forms[0].onkeypress = " _
                + "new Function(""return WebForm_FireDefaultButton(event, '" + myButton.UniqueID + "');"");")
            End If
        End If
        Me.EnableAccount()
        If Context.User.Identity.IsAuthenticated Then
            Session("MemberKey") = Profile.MemberKey
            If Session("ShowHomePage") = True Then
                Session("ShowHomePage") = False     'Immediately turn off this signal and DO NOT redirect this time
            Else
                Response.Redirect("frmLenderMenu.aspx")
            End If
        End If
    End Sub
    Private Sub EnableAccount()
        Dim UserName As String = Request.Params("ID")
        If Not String.IsNullOrEmpty(UserName) Then
            Dim usr As MembershipUser = Membership.GetUser(UserName, True)
            If Not Nothing Is usr Then
                usr.IsApproved = True
                Membership.UpdateUser(usr)
            End If
        End If
    End Sub
End Class

The first part of the routine above is not really relevant to your question. Rather it allows for the user to type USERID and PASSWORD and then hit the enter key (instead of explicitly clicking the LOGIN button). The call to EnableAccount and the test for IsAuthenticated are what I think you really need.

In the confirmation email, how can i send the UserId of the user for replacing the UserName?

Here : e.Message.Body = e.Message.Body.Replace("<%UserLogsOnAs%>", CreateUserWizard1.UserName)

The UserID is not a property of the CreateUserWizard control so sending it is NOT a straightforward thing helped along by Intellisense. Moreover, the timing of events could affect things. You might want to research the various events of the CreateUserWizard control. For example, here is one:

 Protected Sub CreateUserWizard1_CreatedUser(ByVal sender As Object, ByVal e As System.EventArgs) Handles CreateUserWizard1.CreatedUser
        ' Set Account to IsApproved=False
        Dim Usr As MembershipUser = Membership.GetUser(Me.CreateUserWizard1.UserName, True)
        Usr.IsApproved = False
        Membership.UpdateUser(Usr)
    End Sub

Maybe you could call the sproc  [dbo].[aspnet_Membership_GetUserByName], passing it the UserName and getting back various items related to the user (including UserID).

You should be using the ProviderUserKey which is a property of the MembershipUser object.

Note the ProviderUserKey is of type object and is dependent on the Memebership Provider in use! With the SqlMemebershipProvider ProviderKey can be cast as a guid.

 http://msdn2.microsoft.com/en-gb/library/system.web.security.membershipuser.provideruserkey.aspx

You should really be providing both the ProviderUserKey and an hashed signature in the link params ( I deliberately left this out above so as not to confuse the issue).

http://www.mysite.com/emailconfirm?u=guid&h=myhashedvalue.

The hashed value would be an MD5 hash of the UserName (not the exposed ProviderUserKey). This would negate the need for salts as two pieces of the puzzle are not transmitted (not saying not to use unique salts if preferred - when you know what they are).

Basic overview - MD5 hashing takes an input value and produces a hash. This is a one way process, you cannot take the hash and work backwards to the original input. However, the same input always generates the same ouput. Hence if you take the username and generate an MD5 hash, then when the page is requested you can retreive the Membershipuser object, recreate the hash from the username, and confirm that the page was in fact called from your email. In this case this only prevents - which may or may not be really important - the use of a known URL to initialise accounts without actually providing a valid email. This can be extended to providing timestamps and link validity / expirey windows etc.

The ASP SQLMembershipProvider uses Salts with sql accounts.

A salt is a unique value appended to the input value prior to hashing and storage - the password. In additona to the hash the salt is also stored, they are a pair. So "samepassword" + GUID1(salt) generates a hash, but "samepassword + GUID2(salt) generates a different hash. Therefore, the breaking of one account via whatever mechanism does not expose the others - two accounts with the same password do not have the same stored hash value! This configuration is not used where EnablePasswordRecovery is true. Hash passwords are unretreivable, but can be reset etc.

Thats my overkill for today. I hope it makes some sense. And obviously prior to using MD5 hashing or another alternate mechanism you will wish to look it up further on MSDN etc. Then maybe we will see another post - the security Forum would probably be more appropriate for MD5 related questions.

Best Regards,

Martin.