I like the membership/role providers but I don't like the fact that by default you have to login with a username and password. I think there should be a base option to login with Email address and password instead, as this seems more logical in a lot of
scenarios. One of the main issues with the current setup............
1. You register with a website.
2. The username you wanted is not available so you choose a near match or something completely different.
3. You come back to login to the website a few weeks later but have forgotten your password.
4. You are asked to enter your username to retrieve your password, but you have forgotten your username (as the one you usually use was not available).
I know there are a number of work arounds for this situation as I have had to implement them. I just think that the next release should give us the choice. I think that Email addresses are a much better choice for logging in because they are always unique and
it is harder for people to forget than a username.
You can use an email address as the username out of the box (and if you're using the login control, just modify its template to say email rather than user name).
Using email addresses for user names is a poor design choice for many reasons, not the least of which is that if you lose your email account for any reason (i.e. you move job) then it can cause problems. It also allows for a denial of use attack on someone
(just create an account on a site with their email address and they are blocked out). Thus a username is nearly always a better choice, but there is nothing in the ASP.NET provider mechanism that requires a workaround for you to use an email address as the
user name with the current providers.
Regards
Dave
Marked as answer by TATWORTH on Jun 10, 2010 11:41 AM
i can't say i agree. if your email address changes you should always be able to update it on the site.
as far as "denial of use" attacks go, this shouldn't happen if the system is designed properly, as when a user registers, the system would send them a validation email, and if they can't validate it from their email address the account will not get created.
I fully endorse the idea of changing your email address, and using validation emails, but in the past year the following happened to me:
1. My company changed their name (post a merger, and thus changed the address and consequently all our email addresses).
2. I then left that company
Thus in the space of twelve months I've had three email addresses.
Using your recommendation, I'd have to change all of my account names - or just remember my old email address and hope that the site never sent me an email and that I never forget my password.
If I do the latter, I run the risk that someone else gains my previous email address (a new employee with the same name) and they then either
a. Can't use that name for the site because I have yet to change it, or
b. Hit the "Send me my password" button beloved of so many sites and gain access to my account
Using an email address as a username also fails several programming guidelines (i.e. separation of concerns/cohesion).
So personally, I'd never design a site that used an email address as a username, but as it only takes a couple of minutes to add it to ASP.NET as it currently stands, I'd much rather see the ASP.NET team focusing on the bits that are really broken, rather
than trivia.
Just as a matter of interest, have you also posted this as a request on Microsoft Connect? It would be interesting to see how many other members of that community want this as a feature.
Regards
Dave
Marked as answer by TATWORTH on Jun 10, 2010 11:42 AM
Actually, I find the thought of username/password atrocious. How many sites are you going to go to where your username is already taken? A LOT. And the first occurence of this screws up your whole system, forcing you
to have different usernames for different sites, and depending on how many you belong to, this could be an insanely long list.
However, how likely is it that you will find your email address taken?
You chose to sign up for those sites with your company email - a bad choice, imho. It opens the company up to spam and can compromise your personal information. My advice - always use a free email account when registering for a site. No matter how reputable
you think a business may be, they're still a business, and the information they gather is almost always up for sale (or sharing with their 'partners') despite their having a 'Privacy Policy'. If you read it there's almost always a loophole allowing them to
share it with affiliates, but the part they want you to read is "We will never sell your personal information" and the next line, which they don't want you to read is, " but we will share it with our affiliates who happen to pay us."
Just create a free email address for yourself for this purpose so you can still keep it separate from your home information. Simple and more secure.
I would also really like to see a standard as far as password requirements go. Some sites require a symbol character in it, others won't allow it. My favorite password consists of upper-case and lower-case, characters, and digits, and signing up on a site
that forces me to put a ! or @ someplace in my password doesn't help my memory any.
So, I'm on the oppsite side, vehemently opposed to forcing users to remember another piece of information. This may also cause a lot of members with duplicate sign-ups. Forgetting their username, they create a new one.
Having a username may be, in your opinion, better programming practice, but it's a terrible inconvenience to a site's members. Ebay realized this too.
It actually gets worse. A common practice when wanting to use the email address for login is to set the username (via the provider setup) to be the email address. This seems ok at first but then when you want to use the managed code to change the username
it won't let you! The username is readonly. This makes sense because technicallly you have to be logged in to change your username, so if you do this while you are logged in then the context of the user changes (thus the logged in user and the new username
won't match at some point). Therefore you can try and manually force it to update the email address via the database (which creates a new row rather than letting you modify the existing one), or you can change the username but first you have to force a logout,
change it, then log back in. Not very seemless. A painful experience actually - creates a lot more work for the programmer. You have to see it to believe it.
Not the most elegant solution, but overriding the authenticate event of the login control worked for me. I had to add the "Login1.UserName = username;" line because leaving the email
address broke Membership.GetUser() for some reason (on another page). The code below allows the user to login by username or email address.
I was looking for a solution to change the login to use the Email address instead of the UserName (which is displayed on the site) and this helped me greatly. Thanks.
My main reason for wanting to change the login (and password recover) to email is that users can see other people's usernames on the site. Therefore, they can go to password recover and take a list of user name and change everyone's password which would
be annoying to have happen. I would use email so because it is not displayed to other users.
LeMerovingia...
Member
483 Points
326 Posts
Membership Provider should allow users to login with Email Address+Password instead of Username+P...
Aug 15, 2007 05:48 AM|LINK
I like the membership/role providers but I don't like the fact that by default you have to login with a username and password. I think there should be a base option to login with Email address and password instead, as this seems more logical in a lot of scenarios. One of the main issues with the current setup............
1. You register with a website.
2. The username you wanted is not available so you choose a near match or something completely different.
3. You come back to login to the website a few weeks later but have forgotten your password.
4. You are asked to enter your username to retrieve your password, but you have forgotten your username (as the one you usually use was not available).
I know there are a number of work arounds for this situation as I have had to implement them. I just think that the next release should give us the choice. I think that Email addresses are a much better choice for logging in because they are always unique and it is harder for people to forget than a username.
cheers
DMW
All-Star
15943 Points
2353 Posts
Re: Membership Provider should allow users to login with Email Address+Password instead of Userna...
Aug 15, 2007 08:55 AM|LINK
I'm not quite sure I see where the problem is.
You can use an email address as the username out of the box (and if you're using the login control, just modify its template to say email rather than user name).
Using email addresses for user names is a poor design choice for many reasons, not the least of which is that if you lose your email account for any reason (i.e. you move job) then it can cause problems. It also allows for a denial of use attack on someone (just create an account on a site with their email address and they are blocked out). Thus a username is nearly always a better choice, but there is nothing in the ASP.NET provider mechanism that requires a workaround for you to use an email address as the user name with the current providers.
Dave
LeMerovingia...
Member
483 Points
326 Posts
Re: Membership Provider should allow users to login with Email Address+Password instead of Userna...
Aug 15, 2007 11:09 AM|LINK
as far as "denial of use" attacks go, this shouldn't happen if the system is designed properly, as when a user registers, the system would send them a validation email, and if they can't validate it from their email address the account will not get created.
DMW
All-Star
15943 Points
2353 Posts
Re: Membership Provider should allow users to login with Email Address+Password instead of Userna...
Aug 17, 2007 09:32 AM|LINK
I fully endorse the idea of changing your email address, and using validation emails, but in the past year the following happened to me:
1. My company changed their name (post a merger, and thus changed the address and consequently all our email addresses).
2. I then left that company
Thus in the space of twelve months I've had three email addresses.
Using your recommendation, I'd have to change all of my account names - or just remember my old email address and hope that the site never sent me an email and that I never forget my password.
If I do the latter, I run the risk that someone else gains my previous email address (a new employee with the same name) and they then either
a. Can't use that name for the site because I have yet to change it, or
b. Hit the "Send me my password" button beloved of so many sites and gain access to my account
Using an email address as a username also fails several programming guidelines (i.e. separation of concerns/cohesion).
So personally, I'd never design a site that used an email address as a username, but as it only takes a couple of minutes to add it to ASP.NET as it currently stands, I'd much rather see the ASP.NET team focusing on the bits that are really broken, rather than trivia.
Just as a matter of interest, have you also posted this as a request on Microsoft Connect? It would be interesting to see how many other members of that community want this as a feature.
Dave
LeMerovingia...
Member
483 Points
326 Posts
Re: Membership Provider should allow users to login with Email Address+Password instead of Userna...
Aug 17, 2007 01:05 PM|LINK
you raise some good points, but I still think a change of email address is easily facilitated by updating that information in the site.
if the user has forgotten their email address then perhaps they can use the hint questions?
i haven't posted his to Microsoft Connect - what is the URL for this?
Davz
Member
18 Points
10 Posts
Re: Membership Provider should allow users to login with Email Address+Password instead of Userna...
Jan 29, 2008 05:57 PM|LINK
Actually, I find the thought of username/password atrocious. How many sites are you going to go to where your username is already taken? A LOT. And the first occurence of this screws up your whole system, forcing you to have different usernames for different sites, and depending on how many you belong to, this could be an insanely long list.
However, how likely is it that you will find your email address taken?
You chose to sign up for those sites with your company email - a bad choice, imho. It opens the company up to spam and can compromise your personal information. My advice - always use a free email account when registering for a site. No matter how reputable you think a business may be, they're still a business, and the information they gather is almost always up for sale (or sharing with their 'partners') despite their having a 'Privacy Policy'. If you read it there's almost always a loophole allowing them to share it with affiliates, but the part they want you to read is "We will never sell your personal information" and the next line, which they don't want you to read is, " but we will share it with our affiliates who happen to pay us."
Just create a free email address for yourself for this purpose so you can still keep it separate from your home information. Simple and more secure.
I would also really like to see a standard as far as password requirements go. Some sites require a symbol character in it, others won't allow it. My favorite password consists of upper-case and lower-case, characters, and digits, and signing up on a site that forces me to put a ! or @ someplace in my password doesn't help my memory any.
So, I'm on the oppsite side, vehemently opposed to forcing users to remember another piece of information. This may also cause a lot of members with duplicate sign-ups. Forgetting their username, they create a new one.
Having a username may be, in your opinion, better programming practice, but it's a terrible inconvenience to a site's members. Ebay realized this too.
LeMerovingia...
Member
483 Points
326 Posts
Re: Membership Provider should allow users to login with Email Address+Password instead of Userna...
Jan 30, 2008 12:43 AM|LINK
It actually gets worse. A common practice when wanting to use the email address for login is to set the username (via the provider setup) to be the email address. This seems ok at first but then when you want to use the managed code to change the username it won't let you! The username is readonly. This makes sense because technicallly you have to be logged in to change your username, so if you do this while you are logged in then the context of the user changes (thus the logged in user and the new username won't match at some point). Therefore you can try and manually force it to update the email address via the database (which creates a new row rather than letting you modify the existing one), or you can change the username but first you have to force a logout, change it, then log back in. Not very seemless. A painful experience actually - creates a lot more work for the programmer. You have to see it to believe it.
joltinjoe03
Member
4 Points
2 Posts
Re: Membership Provider should allow users to login with Email Address+Password instead of Userna...
Jun 25, 2008 07:00 PM|LINK
protected void Login1_Authenticate(object sender, AuthenticateEventArgs e) { if (Login1.UserName.Contains("@")) //Email Login { string username = Membership.GetUserNameByEmail(Login1.UserName ); if (username != null) { if (Membership.ValidateUser(username, Login1.Password)) { Login1.UserName = username; e.Authenticated = true; } else e.Authenticated = false; } } else //Standard Username & Password Login { if(Membership.ValidateUser(Login1.UserName, Login1.Password)) e.Authenticated = true; else e.Authenticated = false; } }ahenderson
Member
13 Points
35 Posts
Re: Membership Provider should allow users to login with Email Address+Password instead of Userna...
Feb 25, 2009 05:02 PM|LINK
I was looking for a solution to change the login to use the Email address instead of the UserName (which is displayed on the site) and this helped me greatly. Thanks.
My main reason for wanting to change the login (and password recover) to email is that users can see other people's usernames on the site. Therefore, they can go to password recover and take a list of user name and change everyone's password which would be annoying to have happen. I would use email so because it is not displayed to other users.
younger90
Member
3 Points
21 Posts
Re: Membership Provider should allow users to login with Email Address+Password instead of Userna...
Mar 17, 2009 04:14 PM|LINK
Can someone tell me where to place this code?
I have copied the code into my Login.aspx.cs behind code page.
After adding the code i cannot login with my email address.
Any help would be great.
thanks