I'm using the standard .NET membership provider, and thought I'd see if someone could shine a light on it.
Calling ValidateUser return either true or false. Now since the method accepts a username and password, one would reason that the return result would reflect an invalid username or password. Yet if we delve into it further, we find it is also checking IsLockedOut and IsApproved.
public override bool ValidateUser (string username, string password)
{
MembershipUser user = GetUser (username, false);
/* if the user is locked out, return false immediately */
if (user.IsLockedOut)
return false;
/* if the user is not yet approved, return false */
if (!user.IsApproved)
return false;
......
In my application, I would like to make use of IsApproved for my own means. Simply rolling my own provider won't work because I'm still constrained to a bool result. Creating a user gives us all the information we need, so why not ValidateUser? Am I missing something?
I expect that what you're seeing is a security decision - by restricting the information returned, they're not providing information to malicious parties.
Imagine that you're Cyril Cracker, trying to break into a website.
Scenario #1: You try entering username "Admin" with password "Password" and the system tells you no-go. The only information you have is that Admin/Password isn't a valid combination.
Scenario #2: You try entering username "Admin" with password "Password" and the system tells you that no user by that name is known. You can keep trying different usernames until you find one that is known.
Scenario #3: You try entering username "Admin" with password "Password" and the system tells you that no the password is invalid. Suddenly, you know that "Admin" is a valid user. You've learnt something useful, and all you need to keep guessing is the password.
Scenario #4: You try entering username "Admin" with password "Password" and the system tells you that the account is blocked. Now, you know a valid username and password, and that the account is blocked. You can come back later and try again.
Systems that spill the beans on what's valid, and what's not, are known as chatty systems, and they're considered insecure for good reason, as they're easier to crack.
Hope this is helpful.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With