Should I use the username, or the user's ID to reference authenticated users in ASP.NET

Question

So in my simple learning website, I use the built in ASP.NET authentication system.

I am adding now a user table to save stuff like his zip, DOB etc. My question is:

1. In the new table, should the key be the user name (the string) or the user ID which is that GUID looking number they use in the asp_ tables.
2. If the best practice is to use that ugly guid, does anyone know how to get it? it seems to not be accessible as easily as the name (System.Web.HttpContext.Current.User.Identity.Name)
3. If you suggest I use neither (not the guid nor the userName fields provided by ASP.NET authentication) then how do I do it with ASP.NET authentication? One option I like is to use the email address of the user as login, but how to I make ASP.NET authentication system use an email address instead of a user name? (or there is nothing to do there, it is just me deciding I "know" userName is actually an email address?

Please note:

• I am not asking on how get a GUID in .NET, I am just referring to the userID column in the asp_ tables as guid.
• The user name is unique in ASP.NET authentication.

Answer 1

You should use some unique ID, either the GUID you mention or some other auto generated key. However, this number should never be visible to the user.

A huge benefit of this is that all your code can work on the user ID, but the user's name is not really tied to it. Then, the user can change their name (which I've found useful on sites). This is especially useful if you use email address as the user's login... which is very convenient for users (then they don't have to remember 20 IDs in case their common user ID is a popular one).

Answer 2

You should use the UserID. It's the ProviderUserKey property of MembershipUser.

Guid UserID = new Guid(Membership.GetUser(User.Identity.Name).ProviderUserKey.ToString());