WebSecurity.UserExists() returns wrong value

2
votes

I'm using ASP.NET MVC 4 with SimpleMembership. When I call WebSecurity.UserExists() for a specific user, it is returning true. However, the given user exists in the profile table but does not exist in the membership table.

The online documentation for this function has contradicting statements about the 2 tables. On one hand, it says

Returns a value that indicates whether the specified user exists in the membership database.

Then later it says

true if the username exists in the user profile table; otherwise, false.

I am maintaining my own user profile table, and letting SimpleMembership build and maintain its own membership table (webpages_Membership). The user in question exists in my profile table, but NOT in webpages_Membership.

I want users to self-register, but only allow people with a record in the profile table to do that. This user, therefore, exists in the profile table, but is not yet registered. When a user attempts to register, I want to be able to check that they DO have a record in the profile table, but this function isn't doing what I expect it to. And, more troubling, the documentation is unclear on whether it checks the profile table or the membership table.

2
asp.netasp.net-mvc-4simplemembership
Think maybe you can break that into shorter paragraphs so its a bit easier to read?user47589
In addition to what @Amy is saying you should probably add some code samples too, since samples are easier to read/understand than long paragraphs.SOfanatic
I've tried to make the post more readable, but you should follow the advice here and add a code snippet that shows what's not working like you expect it to.Josh Darnell
Can I suggest you use any diassembler e.g. ILSpy, open the referenced DLL. I think WebMatrix. Webdata, that contains code for WebSecurity class. This class uses SimpleMembership provider and calls its methods. This way you would be sure from which table it is coming from.SBirthare
Not sure if the documentation was updated after this question was asked, but it state very clearly in Remarks section of the documentation for WebSecurity.UserExists msdn.microsoft.com/en-us/library/… "The method verifies that the user exists in the user profile table. However, it does not verify that a membership account exists for that user."Kevin Junghans

2 Answers

1
votes

Looking at the WebSecurity and SimpleMembershipProvider code I can confirm that it checks the user from the UserTable i.e. we specify table name in call to InitializeDatabase as shown below:

WebSecurity.InitializeDatabaseConnection("MyDbContext", "UserProfile", "UserId",
                                "UserName", true);

So in this case it checks in UserProfile table, when you make a call 

WebSecurity.UserExists(userName);

It travels to the MembershipProvider you have associated at the time of initialization, in MVC4 default is

SimpleMembershipProvider

So it goes to SimpleMembershipProvider.GetUser() and there it checks like this:

SimpleMembershipProvider.GetUserId(database, this.SafeUserTableName, this.SafeUserNameColumn, this.SafeUserIdColumn, username);

This clearly shows it is checking in the user table and NOT in the membership table.

I see your confusion, when they say membership database, they are referring the data store where you keep your user data and NOT the membership TABLE.

I do not get what actually the problem is, as you only said:

When I call WebSecurity.UserExists() for a specific user, it is returning true. However, the given user exists in the profile table but does not exist in the membership table.

This is default behavior. What are you expecting from it?

Moreover in my opinion, i do not think its good idea to establish whether a user is registered or not using Membership table as each user in UserTable has an associated entry in the Membership table (may not be necessarily but in my case I can see that).

Can not you have a column IsRegistered in the UserTable itself to establish this?

1
votes

Read this article on how to setup self-registration using SimpleMembership. There is no need to check if membership information has been added. Instead use the WebSecurity.IsConfirmed method to tell if a user has completed registration or not.