System.Web 2.0.0.0 System.Object The class is used in ASP.NET applications to validate user credentials and manage user settings such as passwords and e-mail addresses. The class can be used on its own, or in conjunction with the to create a complete system for authenticating users of a Web application or site. The control encapsulates the class to provide a convenient mechanism for validating users. If you are not familiar with the membership features of ASP.NET, see Introduction to Membership before continuing. For a list of other topics related to membership, see Managing Users By Using Membership. The class provides facilities for: Creating new users. Storing membership information (user names, passwords, e-mail addresses, and supporting data) in Microsoft SQL Server or in an alternative data store. Authenticating users who visit your site. You can authenticate users programmatically, or you can use the control to create a complete authentication system that requires little or no code. Managing passwords, which includes creating, changing, retrieving, and resetting them, and so on. You can optionally configure ASP.NET membership to require a password question and answer to authenticate password reset or retrieval requests for users that have forgotten their password. Although ASP.NET membership is a self-standing feature in ASP.NET For authentication, it can be integrated with ASP.NET role management to provide authorization services for your site. Membership can also be integrated with the ASP.NET user to provide application-specific customization that can be tailored to individual users. For details, see Understanding ASP.NET Role Management and Understanding ASP.NET Profile Properties. The class relies on membership providers to communicate with a data source. The .NET Framework includes a , which stores user information in a Microsoft SQL Server database, and an , which enables you to store user information on an Active Directory or Active Directory Application Mode (ADAM) server. You can also implement a custom membership provider to communicate with an alternative data source that can be used by the class. Custom membership providers inherit the abstract class. For more information, see Implementing a Membership Provider. By default, ASP.NET membership is enabled for all ASP.NET applications. The default membership provider is the and is specified in the machine configuration with the name AspNetSqlProvider. The default instance of the is configured to connect to a local instance of Microsoft SQL Server. You can modify the default settings to specify a other than the AspNetSqlProvider instance as the default provider, or specify an instance of a custom provider as the default provider for your ASP.NET application using the Web.config file. You can specify the ASP.NET membership configuration for your Web application using the membership configuration section in the Web.config file. You can use the providers subsection of the membership section to specify a membership provider other than one of the default providers. For example, the following membership section removes the default membership providers from the current application configuration and adds a new provider with a name of SqlProvider that connects to a SQL Server instance named AspSqlServer.

<configuration>
  <connectionStrings>
    <add name="SqlServices" connectionString="Data Source=AspSqlServer;Integrated Security=SSPI;Initial Catalog=aspnetdb;" />
  </connectionStrings>
  <system.web>
    <membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="20">
      <providers>
        <remove name="AspNetSqlProvider" />
        <add name="SqlProvider"
          type="System.Web.Security.SqlMembershipProvider"
          connectionStringName="SqlServices"
          enablePasswordRetrieval="false"
          enablePasswordReset="true"
          requiresQuestionAndAnswer="true"
          passwordFormat="Hashed"
          applicationName="/" />
      </providers>
    </membership>
  </system.web>
</configuration>

Validates user credentials and manages user settings. This class cannot be inherited.

Property System.String To be added. The is used to identify users specific to an application. That is, the same user name can exist in the database for multiple ASP.NET applications that specify a different . This enables multiple applications to use the same database to store user information without running into duplicate user name conflicts. Alternatively, multiple ASP.NET applications can use the same user database by specifying the same . The can be set programmatically or declaratively in the configuration for the Web application. Because a single default membership provider instance is used for all of the requests served by an object, you can have multiple requests executing concurrently and attempting to set the property value. The property is not thread safe for multiple writes, and changing the property value can result in unexpected behavior for multiple users of an application. We recommend that you avoid writing code that allows users to set the property, unless you must. An example of an application where setting the property may be required is an administrative application that manages membership data for multiple applications. Such an application should be a single-user application and not a Web application.

Gets or sets the name of the application.

2.0.0.0 Method System.Web.Security.MembershipUser adds a new user to the data store and returns a object for the newly created user. If the user creation fails, a is thrown. You can retrieve a value from the property of the that indicates why user creation failed. Once a membership user has been created and you have a reference to a object for that user, you can modify the settings for that user with the public methods, such as for applications where is true, or by setting the property values of the object and passing them to the method. If a user already exists in the data source for the application, you can obtain a object for the existing user with the method. The provides an option to require a unique e-mail address for each user. If the property is true, you will need to use one of the overloads that allows you to specify an e-mail address for the user being created. Otherwise, a will be thrown. Leading and trailing spaces are trimmed from all parameter values.

Adds a new user to the data store.

A object for the newly created user. The user name for the new user. The password for the new user. 2.0.0.0 Method System.Web.Security.MembershipUser adds a new user to the data store and returns a object for the newly created user. If the user creation fails, a is thrown. You can retrieve a value from the property of the that indicates why user creation failed. Once a membership user has been created and you have a reference to a object for that user, you can modify the settings for that user with the public methods, such as for applications where is true, or by setting the property values of the object and passing them to the method. If a user already exists in the data source for the application, you can obtain a object for the existing user with the method. Leading and trailing spaces are trimmed from all parameter values.

Adds a new user with a specified e-mail address to the data store.

A object for the newly created user. The user name for the new user. The password for the new user. The e-mail address for the new user. 2.0.0.0 Method System.Web.Security.MembershipUser To be added. To be added. To be added. To be added. To be added. To be added. To be added.

To be added.

To be added. To be added. 2.0.0.0 Method System.Web.Security.MembershipUser To be added. To be added. To be added. To be added. To be added. To be added. To be added. To be added.

To be added.

To be added. To be added. 2.0.0.0 Method System.Boolean User data stored in the database for the , , or personalization is also deleted when you are using the , , and objects for data storage.

Deletes a user and any related user data from the database.

true if the user was deleted; otherwise, false. The name of the user to delete. 2.0.0.0 Method System.Boolean Users deleted from the database are only deleted from the configured applicationName. If is true, user data stored in the database for the , , or personalization is also deleted when you are using the , , and objects for data storage.

Deletes a user from the database.

true if the user was deleted; otherwise, false. The name of the user to delete. true to delete data related to the user from the database; false to leave data related to the user in the database. 2.0.0.0 Property System.Boolean To be added. Password reset is the ability for ASP.NET membership to replace the current password for a user name with a new, randomly generated password when a user has forgotten their password or the current password is no longer valid. This is especially useful when password format is set to , as users cannot retrieve hashed password values.

Gets a value indicating whether the current membership provider is configured to allow users to reset their passwords.

2.0.0.0 Property System.Boolean To be added. If is false, the underlying membership provider may throw a . The providers that are included with the .NET Framework support multiple password formats to enhance password security. If the password format is set to , then users will not be able to retrieve their existing password from the database. The password format provides one-way encoding of password values. Passwords are "hashed" and compared to values stored in the database for authentication. "Hashed" values cannot be un-encoded to retrieve the original password value. For more information, see .

Gets a value indicating whether the current membership provider is configured to allow users to retrieve their passwords.

2.0.0.0 Method System.Web.Security.MembershipUserCollection returns a list of membership users where the e-mail address matches the supplied for the configured applicationName. The performs its search using a LIKE clause against the parameter. Any wildcards that are supported by SQL Server in LIKE clauses can be used in the parameter value.

Gets a collection of membership users where the e-mail address contains the specified e-mail address to match.

A that contains all users that match the parameter. Leading and trailing spaces are trimmed from the parameter value. The e-mail address to search for. 2.0.0.0 Method System.Web.Security.MembershipUserCollection To be added. To be added. To be added. To be added.

To be added.

To be added. To be added. 2.0.0.0 Method System.Web.Security.MembershipUserCollection To be added. returns a list of membership users where the user name matches the supplied for the configured applicationName. The performs its search using a LIKE clause against the parameter. Any wildcards that are supported by SQL Server in LIKE clauses can be used in the parameter value. Leading and trailing spaces are trimmed from all parameter values.

Gets a collection of membership users where the user name contains the specified user name to match.

A that contains all users that match the parameter. Leading and trailing spaces are trimmed from the parameter value. 2.0.0.0 Method System.Web.Security.MembershipUserCollection To be added. To be added. To be added. To be added.

To be added.

To be added. To be added. 2.0.0.0 Method System.String The method is used to generate a random password and is most commonly used by the method implemented by a membership provider to reset the password for a user to a new, temporary password. The generated password only contains alphanumeric characters and the following punctuation marks: !@#$%^&*()_-+=[{]};:<>|./?. No hidden or non-printable control characters are included in the generated password. The random password created by the method is not guaranteed to pass the regular expression in the property. However, the random password will meet the criteria established by the property and the parameter.

Generates a random password of the specified length.

A random password of the specified length. The number of characters in the generated password. The length must be between 1 and 128 characters. The minimum number of non-alphanumeric characters (such as @, #, !, %, &, and so on) in the generated password. 2.0.0.0 Method System.Web.Security.MembershipUserCollection returns the information for all membership users for an application as a collection of objects. Be careful when using the method with very large user databases, as the resulting in your ASP.NET page may degrade the performance of your application.

Gets a collection of all the users in the database.

A of objects representing all of the users in the database. 2.0.0.0 Method System.Web.Security.MembershipUserCollection To be added. To be added. To be added.

To be added.

To be added. To be added. 2.0.0.0 Method System.Int32 returns the number of users for the current where the last-activity date is greater than the current time less the . The last-activity date/time stamp is updated to the current date and time when user credentials are validated by way of the or method or when a call to a overload that takes no parameters or one that uses the parameter to specify that the date/time stamp should be updated.

Gets the number of users currently accessing an application.

The number of users currently accessing an application. 2.0.0.0 Method System.Web.Security.MembershipUser retrieves the user information from the data source and creates a object populated with the returned data. If you use one of the overloads that does not take a parameter, returns the information for the current logged-on membership user. The current logged-on membership user is identified by the of the user in the current . You can also specify whether you want to update the last-activity date/time stamp for the user being retrieved using the parameter. Of the overloads that do not take a parameter, GetUser() implicitly updates the last-activity date/time stamp for the user. GetUser(System.String) and GetUser(System.Object) do not.

Gets the information from the data source and updates the last-activity date/time stamp for the current logged-on membership user.

A object representing the current logged-on user. 2.0.0.0 Method System.Web.Security.MembershipUser The method retrieves the user information from the data source and creates a object populated with the returned data. If you use one of the overloads that does not take a parameter, returns the information for the current logged-on membership user. The current logged-on membership user is identified by the of the user in the current . You can also specify whether you want to update the last-activity date/time stamp for the user being retrieved using the parameter. Of the overloads that do not take a parameter, GetUser() implicitly updates the last-activity date/time stamp for the user. GetUser(System.String) and GetUser(System.Object) do not.

Gets the information from the data source for the current logged-on membership user. Updates the last-activity date/time stamp for the current logged-on membership user, if specified.

A object representing the current logged-on user. If true, updates the last-activity date/time stamp for the specified user. 2.0.0.0 Method System.Web.Security.MembershipUser The method retrieves the user information from the data source and creates a object populated with the returned data. The user is identified using the unique identifier from the data source specified using the parameter. You can also specify whether you want to update the last-activity date/time stamp for the user being retrieved with the parameter. Of the overloads that do not take a parameter, GetUser() implicitly updates the last-activity date/time stamp for the user. GetUser(System.String) and GetUser(System.Object) do not

Gets the information from the data source for the membership user associated with the specified unique identifier.

A object representing the user associated with the specified unique identifier. The unique user identifier from the membership data source for the user. 2.0.0.0 Method System.Web.Security.MembershipUser The method retrieves the user information from the data source and creates a object populated with the returned data. If you use one of the overloads that does not take a parameter, returns the information for the current logged-on membership user. The current logged-on membership user is identified by the of the user in the current . You can also specify whether you want to update the last-activity date/time stamp for the user being retrieved with the parameter. Of the overloads that do not take a parameter, implicitly updates the last-activity date/time stamp for the user. and do not.

Gets the information from the data source for the specified membership user.

A object representing the specified user. If the parameter does not correspond to an existing user, this method returns null. The name of the user to retrieve. 2.0.0.0 Method System.Web.Security.MembershipUser The method retrieves the user information from the data source and creates a object populated with the returned data. The user is identified with the unique identifier from the data source specified in the parameter.

Gets the information from the data source for the membership user associated with the specified unique identifier. Updates the last-activity date/time stamp for the user, if specified.

A object representing the user associated with the specified unique identifier. The unique user identifier from the membership data source for the user. If true, updates the last-activity date/time stamp for the specified user. 2.0.0.0 Method System.Web.Security.MembershipUser The method retrieves the user information from the data source and creates a object populated with the returned data. If you use one of the overloads that does not take a parameter, returns the information for the current logged-on membership user. The current logged-on membership user is identified by the of the user in the current . You can also specify whether you want to update the last-activity date/time stamp for the user being retrieved with the parameter. Of the overloads that do not take a parameter, implicitly updates the last-activity date/time stamp for the user. and do not.

Gets the information from the data source for the specified membership user. Updates the last-activity date/time stamp for the user, if specified.

A object representing the specified user. If the parameter does not correspond to an existing user, this method returns null. The name of the user to retrieve. If true, updates the last-activity date/time stamp for the specified user. 2.0.0.0 Method System.String To be added. can be used to retrieve the user name for a membership user in the case where a user does not know their user name, but does know their e-mail address. If more than one user in the data store has the same e-mail address, the first user name encountered is returned. Leading and trailing spaces are trimmed from all parameter values.

Gets a user name where the e-mail address for the user matches the specified e-mail address.

The user name where the e-mail address for the user matches the specified e-mail address. If no match is found, null is returned. 2.0.0.0 Property 2.0.0.0 System.String To be added. The property identifies the custom hash algorithm used by the class. You set the property using the hashAlgorithmType attribute of the membership element. The .NET Framework enables you to configure custom cryptography classes using the cryptographySettings element configuration section. The property must match the name attribute of the nameEntry element in a cryptoNameMapping element. For more information, see Mapping Algorithm Names to Cryptography Classes. If the property is not set, the class uses the hash algorithm set in the validation attribute of the machineKey element.

The identifier of the algorithm used to hash passwords.

Property System.Int32 To be added. The property works in conjunction with the property to guard against an unwanted source using repeated attempts to guess the password or password answer of a membership user. If the number of invalid passwords or password answers entered for a membership user is greater than or equal to the value of the property within the number of minutes specified by the property, then the user is locked out of the Web site by setting the property to true until the user is unlocked by a call to the method. If a valid password or password answer is supplied before the value of the property is reached, the counter that tracks the number of invalid attempts is set to zero. Invalid password and password answer attempts are tracked separately. For example, if the property is set to 5, the user has up to five attempts to enter a correct password and up to five attempts to enter a correct password answer without being locked out. The property value is set in the application configuration using the maxInvalidPasswordAttempts attribute of the membership configuration element. If the property is false, invalid password-answer attempts are not tracked.

Gets the number of invalid password or password-answer attempts allowed before the membership user is locked out.

2.0.0.0 Property System.Int32 To be added. The property returns the minimum number of special, non-alphanumeric characters that must be entered to create a valid password for the membership provider specified in the property. The property value is set in the application configuration using the minRequiredNonAlphanumericCharacters attribute of the membership configuration element. A non-alphanumeric character is a character for which the method returns false.

Gets the minimum number of special characters that must be present in a valid password.

2.0.0.0 Property System.Int32 To be added. The property gets the minimum number of characters that must be entered to create a valid password for the membership provider specified in the property. The property value is set in the application configuration using the minRequiredPasswordLength attribute of the membership configuration element.

Gets the minimum length required for a password.

2.0.0.0 Property System.Int32 To be added. The property works in conjunction with the property to help guard against an unwanted source guessing the password or password answer of a membership user through repeated attempts. When a user attempts to log in with, change, or reset his or her password, only a certain number of consecutive attempts are allowed within a specified time window. The length of this time window is specified in the property, which identifies the number of minutes allowed between invalid attempts. If the number of consecutive failed attempts that a user makes to reset his or her password equals the value stored in the property, and the time elapsed since the last invalid attempt is less than the number of minutes specified in the property, then the membership user is locked out. The user is locked out by setting the property to true until the user is unlocked by a call to the method. If the interval between the current failed attempt and the last failed attempt is greater than the property setting, the current invalid attempt is counted as the first. If a valid password answer is supplied before the maximum number of allowed invalid attempts is reached, the count of invalid password-answer attempts is set to 0 (zero). If a valid password is supplied before the maximum number of allowed invalid attempts is reached, the count of invalid password attempts and the count of invalid password-answer attempts are set to 0 (zero). Invalid password and password-answer attempts accumulate independently of one another. For example, if the is set to 5, and three invalid password attempts are made followed by two invalid password-answer attempts, two more invalid password attempts (or three more invalid password-answer attempts) must be made within for the membership user to be locked out. The property value is set in the application configuration by using the passwordAttemptWindow attribute of the membership configuration-element section. If the property is set to false, invalid password-answer attempts are not tracked.

Gets the time window between which consecutive failed attempts to provide a valid password or password answer are tracked.

2.0.0.0 Property System.String To be added. The property gets the regular expression used to evaluate password complexity from the provider specified in the property. The property is set in the application configuration using the passwordStrengthRegularExpression attribute of the membership configuration element. For more information about regular expressions, see .NET Framework Regular Expressions.

Gets the regular expression used to evaluate a password.

2.0.0.0 Property System.Web.Security.MembershipProvider To be added. The property enables you to reference the default membership provider for an application directly. This is commonly used to access custom members of the membership provider that are not part of the abstract base class.

Gets a reference to the default membership provider for the application.

2.0.0.0 Property System.Web.Security.MembershipProviderCollection To be added. The property references all of the membership providers enabled for an application, including providers added in the Web.config file for the application and the Machine.config file for all applications. You can control which membership providers are available for an application using the providers element of the membership section in the configuration for your application. For example, the following sample shows the membership section in the Web.config file for an application that removes the instance (AspNetSqlProvider) specified in the machine configuration file and adds a instance named SqlProvider as the default membership provider for the application.

<configuration>
  <connectionStrings>
    <add name="SqlServices" connectionString="Data Source=MySqlServer;Integrated Security=SSPI;Initial Catalog=aspnetdb;" />
  </connectionStrings>
  <system.web>
    <membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="20">
      <providers>
        <remove name="AspNetSqlProvider" />
          <add name="SqlProvider"
            type="System.Web.Security.SqlMembershipProvider"
            connectionStringName="SqlServices"
            enablePasswordRetrieval="false"
            enablePasswordReset="true"
            requiresQuestionAndAnswer="true"
            passwordFormat="Hashed"
            applicationName="/" />
      </providers>
    </membership>
  </system.web>
</configuration>

When specifying the membership section, you must specify the defaultProvider attribute. If you do not specify a membership section in your Web.config, the values from the machine configuration are used and the instance named AspNetSqlProvider is established as the defaultProvider. You can obtain a strongly typed reference to a provider from the collection by indexing the membership provider by name and casting it as the desired type.

Gets a collection of the membership providers for the ASP.NET application.

2.0.0.0 Property System.Boolean To be added. Requiring a password question and answer provides an additional layer of security when retrieving or resetting a user's password. Users can supply a question and answer when their user name is created that they can later use to retrieve or reset a forgotten password. is checked when or is called. The provider provided with the .NET Framework throws a if is true and the supplied password answer is null. If and are both false, can still be used to enforce the creation of questions and answers when new users are created; however, the question and answer will not be used. You will be able to retrieve the question by using the class. For more information, see and .

Gets a value indicating whether the default membership provider requires the user to answer a password question for password reset and retrieval.

2.0.0.0 Method System.Void takes, as input, a object populated with current information for the membership user and updates the data source with the property values of the object. You can construct a new , or retrieve a object populated with current values at the data source using the , , , or methods.

Updates the database with the information for the specified user.

A object that represents the user to be updated and the updated information for the user. 2.0.0.0 Property System.Int32 To be added. The property value is checked during the call to . If the for a user is greater than the current date and time minus the value in minutes, then the user is considered online. You can determine whether a membership user is considered online with the property of the class. The for a user is updated when a user's credentials are successfully validated by the method. You can also update the for a membership user when you call one of the overloads. If you call a overload that takes a parameter, specify a value of true to update the for the user.

Specifies the number of minutes after the last-activity date/time stamp for a user during which the user is considered online.

2.0.0.0 Method System.Boolean provides an easy way to verify a user name and password from the data source. Note that, if the parameter is empty or null, an is thrown.

Verifies that the supplied user name and password are valid.

true if the supplied user name and password are valid; otherwise, false. The name of the user to be validated. The password for the specified user. 2.0.0.0 Event System.Web.Security.MembershipValidatePasswordEventHandler The event is raised when the method, the method, or the method of a membership provider is called. You can use the event to validate password formats and values for membership users. You can cancel the current , , or action by setting the property of the supplied to true during the event. If you cancel the current action by setting the property to true, you can set the property of the supplied to an exception that describes the reason for the password-validation failure. The calling method will throw the exception that the property is set to. If the property is null, the caller will throw a generic password-validation-failure exception.

Occurs when a user is created, a password is changed, or a password is reset.

2.0.0.0