Get Help:Ask a Question in our Forums|Report a Bug|More Help Resources
Last post May 07, 2012 09:44 PM by sidshetye
Aug 15, 2007 05:48 AM|LINK
I like the membership/role providers but I don't like the fact that by default you have to login with a username and password. I think there should be a base option to login with Email address and password instead, as this seems more logical in a lot of
scenarios. One of the main issues with the current setup............
1. You register with a website.
2. The username you wanted is not available so you choose a near match or something completely different.
3. You come back to login to the website a few weeks later but have forgotten your password.
4. You are asked to enter your username to retrieve your password, but you have forgotten your username (as the one you usually use was not available).
I know there are a number of work arounds for this situation as I have had to implement them. I just think that the next release should give us the choice. I think that Email addresses are a much better choice for logging in because they are always unique and
it is harder for people to forget than a username.
Aug 15, 2007 08:55 AM|LINK
I'm not quite sure I see where the problem is.
You can use an email address as the username out of the box (and if you're using the login control, just modify its template to say email rather than user name).
Using email addresses for user names is a poor design choice for many reasons, not the least of which is that if you lose your email account for any reason (i.e. you move job) then it can cause problems. It also allows for a denial of use attack on someone
(just create an account on a site with their email address and they are blocked out). Thus a username is nearly always a better choice, but there is nothing in the ASP.NET provider mechanism that requires a workaround for you to use an email address as the
user name with the current providers.
Aug 15, 2007 11:09 AM|LINK
Aug 17, 2007 09:32 AM|LINK
I fully endorse the idea of changing your email address, and using validation emails, but in the past year the following happened to me:
1. My company changed their name (post a merger, and thus changed the address and consequently all our email addresses).
2. I then left that company
Thus in the space of twelve months I've had three email addresses.
Using your recommendation, I'd have to change all of my account names - or just remember my old email address and hope that the site never sent me an email and that I never forget my password.
If I do the latter, I run the risk that someone else gains my previous email address (a new employee with the same name) and they then either
a. Can't use that name for the site because I have yet to change it, or
b. Hit the "Send me my password" button beloved of so many sites and gain access to my account
Using an email address as a username also fails several programming guidelines (i.e. separation of concerns/cohesion).
So personally, I'd never design a site that used an email address as a username, but as it only takes a couple of minutes to add it to ASP.NET as it currently stands, I'd much rather see the ASP.NET team focusing on the bits that are really broken, rather
Just as a matter of interest, have you also posted this as a request on Microsoft Connect? It would be interesting to see how many other members of that community want this as a feature.
Aug 17, 2007 01:05 PM|LINK
you raise some good points, but I still think a change of email address is easily facilitated by updating that information in the site.
if the user has forgotten their email address then perhaps they can use the hint questions?
i haven't posted his to Microsoft Connect - what is the URL for this?
Jan 29, 2008 05:57 PM|LINK
Actually, I find the thought of username/password atrocious. How many sites are you going to go to where your username is already taken? A LOT. And the first occurence of this screws up your whole system, forcing you
to have different usernames for different sites, and depending on how many you belong to, this could be an insanely long list.
However, how likely is it that you will find your email address taken?
You chose to sign up for those sites with your company email - a bad choice, imho. It opens the company up to spam and can compromise your personal information. My advice - always use a free email account when registering for a site. No matter how reputable
share it with affiliates, but the part they want you to read is "We will never sell your personal information" and the next line, which they don't want you to read is, " but we will share it with our affiliates who happen to pay us."
Just create a free email address for yourself for this purpose so you can still keep it separate from your home information. Simple and more secure.
I would also really like to see a standard as far as password requirements go. Some sites require a symbol character in it, others won't allow it. My favorite password consists of upper-case and lower-case, characters, and digits, and signing up on a site
that forces me to put a ! or @ someplace in my password doesn't help my memory any.
So, I'm on the oppsite side, vehemently opposed to forcing users to remember another piece of information. This may also cause a lot of members with duplicate sign-ups. Forgetting their username, they create a new one.
Having a username may be, in your opinion, better programming practice, but it's a terrible inconvenience to a site's members. Ebay realized this too.
Jan 30, 2008 12:43 AM|LINK
It actually gets worse. A common practice when wanting to use the email address for login is to set the username (via the provider setup) to be the email address. This seems ok at first but then when you want to use the managed code to change the username
it won't let you! The username is readonly. This makes sense because technicallly you have to be logged in to change your username, so if you do this while you are logged in then the context of the user changes (thus the logged in user and the new username
won't match at some point). Therefore you can try and manually force it to update the email address via the database (which creates a new row rather than letting you modify the existing one), or you can change the username but first you have to force a logout,
change it, then log back in. Not very seemless. A painful experience actually - creates a lot more work for the programmer. You have to see it to believe it.
Jun 25, 2008 07:00 PM|LINK
protected void Login1_Authenticate(object sender, AuthenticateEventArgs e)
if (Login1.UserName.Contains("@")) //Email Login
string username = Membership.GetUserNameByEmail(Login1.UserName );
if (username != null)
if (Membership.ValidateUser(username, Login1.Password))
Login1.UserName = username;
e.Authenticated = true;
else e.Authenticated = false;
else //Standard Username & Password Login
if(Membership.ValidateUser(Login1.UserName, Login1.Password)) e.Authenticated = true;
else e.Authenticated = false;
Feb 25, 2009 05:02 PM|LINK
I was looking for a solution to change the login to use the Email address instead of the UserName (which is displayed on the site) and this helped me greatly. Thanks.
My main reason for wanting to change the login (and password recover) to email is that users can see other people's usernames on the site. Therefore, they can go to password recover and take a list of user name and change everyone's password which would
be annoying to have happen. I would use email so because it is not displayed to other users.
Mar 17, 2009 04:14 PM|LINK
Can someone tell me where to place this code?
I have copied the code into my Login.aspx.cs behind code page.
After adding the code i cannot login with my email address.
Any help would be great.