Using email-address as loginID to sign on to an asp.net application
https://stackoverflow.com/questions/11512658
-
21-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I am working on the login component of my asp.net application and part of the requirements is that the email-address would be used as the loginID.
For my "Customer" object, should I have a LoginID & an EmailAddress property or just EmailAddress? For the SQL database, would I need a LoginID field or just an EMailAddress field?
Update: In the "Edit Profile" page, the Customer has the ability to edit their email address.
Curious if someone has advice before I get too deep into this.
Solution
You can do it either way you want - use the email address as the primary key, or use another external customer id field.
My personal preference would be to use another field, and have the email address be a property. The other field would be either a guid, or some other hard-to-guess sequence. I'd go this route for two reasons:
- From a security standpoint, if a developer does something sloppy like leak a guid in a url or hidden field, it's (marginally) less damaging than leaking actual customer email addresses.
- It's harder to use automation to generate a bunch of GUIDs and find a user/password match than it is to buy a list of email addresses and feed those into an automated exploit kit.
- Ease of maintenance - people change email addresses. If you use the email address as a primary key, you have to figure out how to transfer account settings.
I know this wasn't asked for in the question, but you're obviously building your own login mechanism, and it sounds like you may not necessarily overly be experienced. In the interest of helping you avoid mistakes I've personally made in the past, here's some good reading:
http://www.codinghorror.com/blog/2007/09/youre-probably-storing-passwords-incorrectly.html
OTHER TIPS
From experience I recommend you use a key combination between a unique ID of the row and the user's mail. And both you can use them as properties.
The best practice would be to ensure the login ID is unique. Email addresses are indeed unique, but you can run into issues if someone wishes to change their email address. I would recommend using a separate ID rather than email as the primary key.
Note also that there are some performance considerations when using the email address as a primary. There are some good responses in this very similar question: Use email address as primary key?.
