tags:

views:

63

answers:

3
+2  Q: 

Login control and custom membership provider

I am working on implementing a custom membership provider that works against an existing schema in my database and have a few thoughts/questions.

The login control will automatically call the ValidateUser method of the membership provider, so no matter how I implement the provider the only thing the login control cares about is the bool value returned by this method. What I am confused about is there could be numerous reasons why a login attempt failed; user is locked out, too many tries in a period of time, etc. There is no way that I see to convey that to the control so it could display the proper message. Other properties of the membership provider such as PasswordStrengthRegularExpression have absolutely no effect on the login control as well (out of the box), I would have hoped that it would automatically somehow translate into regular expression validators, but that doesn't seem to be the case. So it seems that I need to initialize the login control properties with these settings out of the provider configuration if I want them to take on the control itself.

If the only thing that the Login control does out of the box (without manually handling events and doing the initialization as described above) is call the ValidateUser method on the membership provider, I see no way to convey back to the Login control why the validation failed or even doing things like throttling the validation requests based on a certain time window. Ultimately my question is why would I even use the membership provider then in conjunction with the login control? It seems like it was only designed for a Yes/No type response, which is very restrictive. If I want to build in logic with different messages back to the user I need to handle the login control events and call my own authentication classes that will handle all of my business requirements as well as return a custom error message back to the Login control to display to the user so they know why their attempt is invalid.

Unless I am wrong in my assumptions, it seems that the interface between the Login control as the membership API is too restrictive to be useful. Perhaps the API works better for other auth controls like ChangePassword better but for the actual Login control I don't see the point.

I appreciate your thoughts.

+1  A: 

I had the same kind of problem in using login related method(Change password) with the Membership Provider where in I wanted more information then just a Yes/No. Hopefully, you can implement a solution similar to the workaround that I came up with. See this:

Membership provider ChangePassword method return type problem

desigeek  2010-10-11 19:57:29
Thanks, good to know that I am not going crazy. Doesn't it fell like we're missing something here though? This makes me want to ditch the membership provider to begin with. I don't need it if I am going to have to hack it as well as hack the controls to work with it in order to get simple things like more helpful error messages out of it. The only benefit to the provider to me was the out of the box integration with the controls, which seems to be extremely limiting.
e36M3  2010-10-11 20:19:54
+1  A: 

You are right. To implement the logic you are talking about, you need to implemente the Authenticate event. That way you could write back a custom error message after you do your own validation.

On the other hand I dont think the password strength should be validated on authentication but rather on user creation.

you could write something like this:

protected void Login_Authenticate(object sender, AuthenticateEventArgs e)
{
    try
    {
       e.Authenticated = myMembershipProvider.ValidateUser(LoginControl1.UserName,LoginControl.Password);

    }
    catch(Exception ex)
    {
      LoginControl1.FailrureText = ex.Message;
    }
}

And throw your custom Exception in your ValidateUser method. Happy coding...

Igor Zelaya  2010-10-11 20:25:04
Doesn't the membership provider lose it's value to me at that point? If I do ahead and handle the Authenticate event, then I have to call the ValidateUser method on the provider myself. That method will not be sufficient so I would have to call another method that will actually tell me why the login failed. I agree with you on password strength.
e36M3  2010-10-11 20:40:08
@e36M3 - Yeap you are right. that´s the way to go. What i would do is call first all validation, write the error on the control ErrorMessage property and finally, if something fails,
Igor Zelaya  2010-10-12 06:01:23
A: 

Okey, if you cannot change the Login-control thing, you will ultimately need another login-control interface!

Muktadir  2010-10-11 20:26:01

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?