Why use GetPassword() method but not Property of Password in build-in asp.net2.0 Membership

Question

I find that the password can only retrieved by method GetPassword() in asp.net2.0 Membership.

In fact, we can get the password when we get the user infomation from database and set it as a property of user(object of MemberhsipUser) just as user.Email, user.UserName, etc.

It's clear that adopting the second resolution(property) can reduce one trip between server and database and more convenient. But why Microsoft don't do like this? For secruity reason? Then why is it less secure to set the password as property?

Answer 1

Yes reason is security.

Password here is not a SecuredString (which it must be but probably it cannot change because of backward compatibility). In most cases, you only need membership info and general information. If password is a property, it will stay in memory until the request is finished and it is garbage collected. If multiple applications share the host, it will be possible (although very unlikely and difficult) for another application to access the process memory block (since it is running in the same process) and get hold of password.

Answer 2

Take a look at the reflection... using .NET Reflector.

I found that the GetPassword method is a virtual method and could be easily overriden by the providers. That's the reason you don't use Property to begin with.

---

public virtual string GetPassword()
{
    return Membership.Providers[this.ProviderName].GetPassword(this.UserName, null);
}

---

Oh, and security of course!