Check Password on SqlMembershipProvider bypassing IsApproved?

Question

In the application I am working on, users are created by are not approved until they activate their account. The IsApproved flag is set to false until they have activated.

When they submit their activation, we want to check that their password is valid before activating the user, but Membership.ValidateUser(..) will always return false if the user is not approved, so there appears to be no way to differentiate between an incorrect password and a non-approved user.

How can I check the password to validate a user that is not approved?

Possible solutions I've looked at so far:

• Custom membership provider: this is a lot of work and defeats the whole point of using the Membership system in .NET, this is basic functionality, there must be a way to check a password.
• Setting the IsApproved flag briefly and changing it back: this is very insecure.
• Using ChangePassword to change to a random password and then back again, checking to see if it succeeds: this is a nasty hack, I really don't want to do this.
• Calling the private CheckPassword function on the SqlMembershipProvider: methods are private for a reason, again, I don't want to do this.

Is there another way? Surely this is standard functionality that is just required by any full-featured user account system with activations, etc. Is there a better design for the system than what I am doing? Am I using IsApproved in the wrong way?

Thanks for the help.

Edit: This seems to have caused some confusion. I have created a user account, it has a password that meets the complexity requirements etc. What I want to do is, when the user submits a form with their username and password in it, check that they password they have provided matches the password on the account. I just want to know if they gave the right password. From my investigation of the framework, this seems impossible to do without also checking whether their account is active.

Answer 1

Now I understand you. My suggestion is to temporarily store their password in the Membership Profile and match that before hand. Once matched, activate the account and clear the Profile. NOTE: the profile will store the password in plain text. I am doing a similar thing.