ASP.NET 2.0 Membership and Roles Tutorial Series

Scott Mitchell has continued the great ASP.NET 2.0 Membership, Roles and Profile Tutorial series he started a few months back, and has now posted parts 3 and 4 on it.  You can read the series here:

Examining ASP.NET 2.0’s Membership, Roles and Profile (Part 1)

Examining ASP.NET 2.0’s Membership, Roles and Profile (Part 2)

Examining ASP.NET 2.0's Membership, Roles and Profile (Part 3)

Examining ASP.NET 2.0's Membership, Roles and Profile (Part 4)

 

In part 4 he discusses the Membership API's support for locking out users, as well as temporarily disabling accounts after too many failed login attempts.  Specifically, you can configure ASP.NET to automatically disable an account after a specified number of failed login attempts (to avoid password dictionary remote hack attempts).  You can then use the "UnlockUser()" method on the MembershipUser class to re-enable an account.  I've seen several questions recently from people wondering how to-do this -- so it is great to see him cover it here.

 

One other question I see asked a lot on the forums is how someone can build their own custom admin pages for managing Membership and Roles information for their site.  Peter Kellner wrote two great articles for MSDN that walkthrough how to build something like this (even using a GridView + ObjectDataSource to bind against the users in the database).  You can check them out here:

 

Microsoft ASP.NET 2.0 Member/Role Management with IIS, Part 1: Security and Configuration Overview

Microsoft ASP.NET 2.0 Member/Role Management with IIS, Part 2: Implementation

 

For more information on ASP.NET 2.0 Security Topics, please checkout (and potentially bookmark) this blog post of mine here.  I'm trying to link off to good security resources + samples I find on the web with it, and make it a one-stop place people can go to find good security related information.

 

Hope this helps,

 

Scott

 

Published Sunday, May 7, 2006 3:19 PM by ScottGu
Filed under: ,

Comments

# re: ASP.NET 2.0 Membership and Roles Tutorial Series

Monday, May 8, 2006 6:41 AM by LukCAD
Hello Scott!
It was interesting to study all your video examples and examples from Mitchell and Kellner about implementation security controls into applications.
Is any example or video about "How to create your own membership provider?". I wish to do new one different form: SqlMembershipProvider or ActiveDirectoryMembershipProvider.

Sincerely, LukCAD

# re: ASP.NET 2.0 Membership and Roles Tutorial Series

Monday, May 8, 2006 2:13 PM by Scott Mitchell
Regarding admin screens, the download available at Part 4 of my article series includes some fairly basic Admin screens for viewing the users in the system along with their Lock Out / Inactive / administrative role status, with the ability to easily toggle the inactive / locked out / administrative role status.

# re: ASP.NET 2.0 Membership and Roles Tutorial Series

Wednesday, May 10, 2006 9:27 AM by Laura
Scott, you have saved my life! I have a looming deadline and didn't have time to spend weeks developing a user account manager - this should do the trick if I can work out some kinks with my hosting service.

There wouldn't happen to be an email verification component for membership, is there?

# re: ASP.NET 2.0 Membership and Roles Tutorial Series

Thursday, May 11, 2006 2:16 AM by Charles Chung
Hi Scott,

I have implemented the Membership and Roles services in my new application, do you have any tutorials on hand that can give me hints on how to build an admin section so administrators can easily administers users(delete users, lockout user, edit user roles, etc)

# re: ASP.NET 2.0 Membership and Roles Tutorial Series

Thursday, May 11, 2006 9:55 PM by Charles Chung
Hi Scott,

I have read the article "Microsoft ASP.NET 2.0 Member/Role Management with IIS, Part 2: Implementation" talking about how to implement admin pages for the ASP.NET 2.0 membership enabled website.

Yet in addition to this I would like to add a search button which filters the username like this:

protected void SearchButton_Click(object sender, EventArgs e)
{
ObjectDataSourceMembershipUser.FilterExpression = "UserName LIKE '%" + SearchTextBox.Text + "%'";
}

But I got the error: The data source 'ObjectDataSourceMembershipUser' only supports filtering when the SelectMethod returns a DataSet or a DataTable.

May you kindly show me how to get around this?
Thanks!

# re: ASP.NET 2.0 Membership and Roles Tutorial Series

Friday, May 12, 2006 12:36 AM by Rockstone
why i can not find any video to study. would you like to tell me where i can download from. thanx

# re: ASP.NET 2.0 Membership and Roles Tutorial Series

Friday, May 12, 2006 1:12 AM by scottgu
Hi Charles,

What you should use instead is the Membership.FindUsersByName("string") method. This will do a filter in the database and be much more efficient.

Hope this helps,

Scott

# re: ASP.NET 2.0 Membership and Roles Tutorial Series

Friday, June 30, 2006 6:30 AM by Andy

Hi Scott, I'd really appreciate your help, I've read through Scott Mitchell series and your article on "How to add a Login, Roles and Profile system to an ASP.NET 2.0 app in only 24 lines of code", and they really explained a lot to me, but I'm sitting with what seems to be a rather uncommon issue.

I have a website that uses forms authentication and I've added properties in the web.config to store the users name and business name when they register - that's working perfectly.

I now have a windows form application that needs to validate the user, and that sends the username and password to a webservice where I call Membership.ValidateUser(username, password) to validate the credentials, and that also works perfectly. (I've specified the membership and profile providers in the web.config and also the same profile properties as I specified on the websites web.config).

My problem is how can I access the users profile properties from the webservice, I can't seem to  even access the ProfileCommon Class, and when I try access the ProfileBase classes property values they are just empty strings.

Thanks, I really appreciate it.

# re: ASP.NET 2.0 Membership and Roles Tutorial Series

Wednesday, July 5, 2006 11:27 PM by ScottGu

Hi Andy,

I think from a web-service you might need to access the Profile object in a late-bound way (so via the late-bound proeperty accessors on the ProfileBase class).

To get a specific instance of the ProfileBase for a specific user, you can write code like so:

ProfileBase settings = ProfileBase.Create(userName);

string business = (string) settings["business"];

Hope this helps,

Scott

# re: ASP.NET 2.0 Membership and Roles Tutorial Series

Monday, September 11, 2006 12:48 AM by Robert Clancy
membership.deleteuser() fails because of FK constraint violations. How can this be, given that its a MS product? I am getting the same error on 2 sql server 2005 instances where I have installed the membership, profiles and roles objects.

# re: ASP.NET 2.0 Membership and Roles Tutorial Series

Tuesday, September 12, 2006 10:39 AM by ScottGu

Hi Robert,

It is pretty odd that you are seeing a FK constraint violation.  If you want to send me an email describing it more (scottgu@microsoft.com), I can help investigate.

Thanks,

Scott

# re: ASP.NET 2.0 Membership and Roles Tutorial Series

Monday, September 18, 2006 5:01 AM by Kieran
Hi, How would you handle this scenario with 2.0 membership? I have an application where users can register for the site and then save items. This works fine, though I now need to have an admin side to the system, for the owners to manage the items available. What happens if an admin and a user choose the same username, is there a best practice way to handle this scenario? Thanks Kieran

# re: ASP.NET 2.0 Membership and Roles Tutorial Series

Tuesday, September 19, 2006 12:05 AM by ScottGu

Hi Kieran,

If you use the same membership database, then the Membership API will automatically prevent you from re-using the same user-name.

Hope this helps,

Scott

# re: ASP.NET 2.0 Membership and Roles Tutorial Series

Tuesday, September 19, 2006 11:55 PM by ScottGu

Hi Kieran,

You can't have two users with the same username I''m afraid.  One approach you could use, though, is to use Roles to differentiate the users (as opposed to hard-coding a name).

This tutorial talks about how to use Roles with ASP.NET: http://weblogs.asp.net/scottgu/archive/2006/07/23/Recipe_3A00_-Implementing-Role-Based-Security-with-ASP.NET-using-Windows-Authentication-and-SQL-Server.aspx

Hope this helps,

Scott

# re: ASP.NET 2.0 Membership and Roles Tutorial Series

Tuesday, October 3, 2006 11:04 AM by David
Hi Scoot, Were you able to provide a solution for Robert’s FK constraint issue? Membership.DeleteUser(newUser.UserName, true); Fails because of FK constraint "FK_aspnet_Me__UserI__15502E78" violations. I see that this constraint references the aspnet_Applications table and the aspnet_Membership table FK references both the aspnet_User and aspnet_Applications tables. At the point where I’m trying to delete the user only these three tables have user data. I assume that the Membership.DeleteUser() method has the logic to handle the FK constraints. Do I need to set something to allow it to handle cascading deletes? Thanks for the help. David

# re: ASP.NET 2.0 Membership and Roles Tutorial Series

Monday, October 16, 2006 8:13 PM by Peter
Hello Scott! Your articles are very helpful; however, I still don't know how to add user name and password to aspnet_user table. can any one in this forum point me to the link for this issue? Additionally, I still can not configure my sql server 2005 developer version with asp.net 2. Thanks for any tip.

# re: ASP.NET 2.0 Membership and Roles Tutorial Series

Tuesday, October 17, 2006 10:28 AM by ScottGu

Hi Peter,

This post describes how to configure your SQL Server 2005 developer version with the ASP.NET 2.0 tables: http://weblogs.asp.net/scottgu/archive/2005/08/25/423703.aspx

Hope this helps,

Scott

# re: ASP.NET 2.0 Membership and Roles Tutorial Series

Thursday, October 26, 2006 10:02 AM by hansi
Laura was touching the subject earlier. What if you would like the users to verify their e-mail before you let them in. Any advice on how to achieve that? /hansi, Sweden

# re: ASP.NET 2.0 Membership and Roles Tutorial Series

Saturday, October 28, 2006 1:08 PM by ScottGu

Hi Hansi,

One approach you could use would be to set the IsApproved property on the MembershipUser object to false on a user when you create them in the Membership database.  You could then send them an email and have them click a link in it to return to the site.  On that page you could then set the IsApproved property to true - which will unlock the user account and enable logins.

Hope this helps,

Scott

# re: ASP.NET 2.0 Membership and Roles Tutorial Series

Tuesday, January 30, 2007 10:53 AM by Mark

Could some one direct me to an example that uses "ActiveDirectoryMembershipProvider" in windows authentication ?