-1

I was testing a MVC SimpleMembership userprofiles when I noticed this behavior.

I created a new MVC project with internet settings in VS2012. Ran the project. Created a new user by registering under the user name "User Name" and password "Somepassword". Then logged out. Signed in again but used the user name "user name" and "Somepassword". If you notice that I have changed the user name letters with Lower case "U" & "N". I tried combination and in each case the application logged me in as a Member under the "User Name" although in the Log In partial its displayed "user name"(and other combinations). I am little bit worried about the security of MVC App can some one explain why is this behaviour in MVC4 Asp-Net with simple membership?

Flood Gravemind
  • 3,773
  • 12
  • 47
  • 79
  • 1
    My guess is that the uniqueness of usernames is case-insensitive. – David Sep 24 '13 at 21:16
  • @David That is obvious. – Flood Gravemind Sep 24 '13 at 21:19
  • 1
    Yes, it's obvious, and I don't understand why are you concerned with something that is obvious. I mean what is your question anyways? The username is not case sensitive, that is obvious. The password is case sensitive. It's the way it should be and it's the way it is. Feel free to write your own membership provider implementation if what other people find as obvious doesn't fit your specific business rules. – Darin Dimitrov Sep 24 '13 at 21:21

1 Answers1

1

I am little bit worried about the security of MVC App can some one explain why is this behaviour in MVC4 Asp-Net with simple membership?

No, don't be worried. The userrname is not case sensitive wherease the password is case sensitive. It's the way all major websites on the internet work anyways. I mean take for example Google if you have some concerns about security. You could mix whatever casing comes to your mind for the username. It's the password that's perfectly case sensitive, and it's the way it should be.

And now of course if for some weird reason you want case sensitivity for usernames (why on Earth would you?) feel more than free to override the default Simple Membership provider by writing your own and implementing whatever rules you need for your specific case.

Darin Dimitrov
  • 1,023,142
  • 271
  • 3,287
  • 2,928
  • I dont want to use Case sensitivy in App. I thought I knew how membership works. But this makes me want to go back and start learning again. – Flood Gravemind Sep 24 '13 at 21:22
  • 1
    Well, if what's obvious doesn't fit your business requirements you always have the possibility of rolling your own custom membership provider. But I absolutely don't see how the case insensitivity of usernames is raising any security concerns in you about the default implementation of the Simple Membership Provider anyways. It's just natural thing and the way all major websites on the internet work today. – Darin Dimitrov Sep 24 '13 at 21:23