How to make WebSecurity.Login to login using username or email?

Question

WebSecurity.Login in simplemembership take username and password, how to make it to login the user using username or email instead of just username?, to make the user free to enter his email or username to login.

Answer 1

You could inherit from the SimpleMembershipProvider and just override the ValidateUser method like this.

public class ExtendedSimpleMembershipProvider : SimpleMembershipProvider
{
    public override bool ValidateUser(string login, string password)
    {
        // check to see if the login passed is an email address
        if (IsValidEmail(login))
        {
            string actualUsername = base.GetUserNameByEmail(login);
            return base.ValidateUser(actualUsername, password);
        }
        else
        {
            return base.ValidateUser(login, password);
        }

    }

    bool IsValidEmail(string strIn)
    {
        // Return true if strIn is in valid e-mail format.
        return Regex.IsMatch(strIn, @"^([\w-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([\w-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?)$");
    }

}

This is just one approach. You could write your own MembershipProvider but if you only need to change the ValidateUser method this should work.

Add the following configuration to the web.config to setup the provider.

  <membership defaultProvider="ExtendedSimpleMembershipProvider">   
    <providers>
    <clear/>
    <add name="ExtendedSimpleMembershipProvider"
         type="MyProject.Web.SimpleMembershipProvider, MyProject.Web"/>
    </providers>
  </membership>

That should get you going in the right direction.

Answer 2

WebSecurity just calls FormsAuthentication under the hood. You can do this:

if (WebSecurity.UserExists(username)) 
{
     FormsAuthentication.SetAuthCookie(username, false);
}

Curious why you need this feature. (FYI: My reasoning for needing this is if a user has authenticated with PayPal in an Express Checkout (shopping cart) flow I allow them to be auto-logged into my site as that same user because I consider the risk very low that it would not be the right person).

May be of use: Difference between FormsAuthentication and WebSecurity

Answer 3

You can just pull the user with given email from UserProfiles table

 [HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public ActionResult Login(LoginModel model, string returnUrl)
{
  var login = false;
  if (ModelState.IsValid)
  {
    if (!model.UserName.Contains("@"))
    {
      if (WebSecurity.Login(model.UserName, model.Password, persistCookie: model.RememberMe))
        login = true;
    }
    else
    {
      var targetUser = db.UserProfiles.Where(u => u.Email == model.UserName).FirstOrDefault();
      if (targetUser != null && WebSecurity.Login(targetUser.UserName, model.Password, persistCookie: model.RememberMe))
        login = true;
    }

  }
  if (login)
    return Redirect(returnUrl);
  // If we got this far, something failed, redisplay form
  ModelState.AddModelError("", "The user name or password provided is incorrect.");
  return View(model);
}

Answer 4

Don't use email for user identification. It is a very easy thing to guess and today people could use a tool to guess that for them. That is why username is used, it could be anything.

With that being said, if you really want to - you can use the ID of the table where the username/email + password is located and match it first to a username and if that fails match it to an email. If both fail, login fails.

You should have no problems using this below to your check code, since you didn't post anything here I can't modify to see what you need.

WebSecurity.GetUserId(email);

For your next questions regarding MVC you should check ASP forums first then try here. Just an opinion