Configuring the default Asp.Net Membership Provider

If you have not specifically added a Membership section to the web.config file for your application, then the default provider settings will be in place. The default Asp.Net Membership Provider is the SqlMembershipProvider with the following settings (and more):

• Passwords will be one-way hashed
• Password recovery will be disabled
• Password reset will be enabled
• Password answers are required to perform password reset
• Passwords must be a minimum of 7-characters and include at least one non-alpha character
• The connectionString named "LocalSqlServer" will be used to access the membership database

Your web application is configured through entries in the web.config file which is located in the root folder of your application. Even if you've never specifically opened this file for editing, web.config may contain customized settings as a result of using the Asp.Net Web Site Administration Tool or running the application in debug mode. Unless you have specifically created a membership section in web.config, however, your membership provider may use the Asp.Net default settings.

Custom Membership Provider Settings

To gain better control over your membership configuration, you can add a membership element anywhere within the system.web element of your web.config file as shown here:

     <configuration>
        ...
        <system.web>
            ...
            
                <membership 
                 defaultProvider="SqlProvider" userIsOnlineTimeWindow="20">
                 <providers>
                    <clear/>
                    <add name="SqlProvider"
                        type="System.Web.Security.SqlMembershipProvider"
                        connectionStringName="LocalSqlServer"
                        enablePasswordReset="true"
                        requiresQuestionAndAnswer="false"
                        requiresUniqueEmail="false" />
                        maxInvalidPasswordAttempts="5"
                        passwordAttemptWindow="10"
                        passwordFormat="Hashed"
                        minRequiredPasswordLength="7"
                        minRequiredNonAlphanumericCharacters="0"
                        passwordStrengthReqularExpression="0"
                        enablePasswordRetrieval="false"
                        applicationName="/" />
                </providers>
            </membership>
            ...
        </system.web>
        ...
    </configuration>

Explained..

• Here, we are using Microsoft's System.Web.Security.SqlMembershipProvider and calling it "SqlProvider".
• In the membership element, we tell Asp.Net that we will be using "SqlProvider" as our default provider and also that the inactivity timeout is 20-minutes.
• The "clear" element removes any default provider declarations and more importantly, ensures that nothing called "SqlProvider" already exists.
• The "add" element lets us define how our provider will behave.

The following is a description of each of the SqlMembership Provider settings:

name

This is an arbitrary name that you will give to your particular set of configuration options. Keep in mind that the name you specify here must also be specified for the "defaultProvider" attribute of the membership element and is case sensitive.

type

This is the type for the provider you will be using. In the example above, we are using Microsoft's SqlMembershipProvider but you could reference another "out of the box" provider or one that you create yourself.

Note that the type is specified according to Microsoft's rules for a fully-qualified type name. Example: "namespace.classname,assemblyname"

connectionStringName

This is the name of your the connection string, specified in the "connectionStrings" section of your configuration file, that includes connection information to access your membership database.

enablePasswordReset

When enablePasswordReset is set to true, the provider will generate a new random password when the ResetPassword provider method is called. This also allows the Asp.Net PasswordRecovery control to present an option that allows users to reset their password. Note that if the property requiresQuestionAndAnswer is also true, the user will be required to correctly answer the password question before the password is reset.

requiresQuestionAndAnswer

When requiresQuestionAndAnswer is set to true, a password answer is required for password reset and retrieval. This property also affects the behavior of Asp.Net CreateUserWizard and PasswordRecovery controls. When set to true, new users will be required to create a password question and answer when creating an account then provide the password answer in response to the question when recovering a forgotten password.

requiresUniqueEmail

This property determines whether the membership provider will require that all members have unique e-mail addresses. By setting this property to true, you can ensure that users can be uniquely located based on their Email address.

maxInvalidPasswordAttempts

This property works in conjunction with the passwordAttemptWindow to provide security against attempts to guess member passwords. If the maxInvalidPasswordAttempts number is exceeded within the password attempt window, the user will become locked out. You can use the Membership Manager to identify and unlock users that have become locked out.

passwordAttemptWindow

Defines the number of minutes within which an excessive number of invalid password attempts will cause the user to become locked out. This is part of a security measure to guard against attempts to guess a member's password.

passwordFormat

Determines the format used to store passwords. Supported values are "Clear", "Encrypted" and "Hashed". Check out the article Asp.Net Membership Provider Password Formats for details on the various password formats.

minRequiredPasswordLength

This property determines the minimum number of characters that must be used for creating passwords. Along with the minRequiredNonAlphanumericCharacters and passwordStrengthReqularExpression properties, this is used to define the complexity and therefore, overall security of your membership password system.

minRequiredNonAlphanumericCharacters

Determines the number of special characters that must be present (anywhere in the password) in order for the password to be considered valid. Special characters are any characters other than letters or digits.

passwordStrengthReqularExpression

Specifies a regular expression that must be met by passwords in order to meet necessary complexity requirements. Since regular expressions can imply the need for special characters and minimum password length, you could use a regular expression to supplant the need for the minRequiredPasswordLength and minRequiredNonAlphanumericCharacters properties.

enablePasswordRetrieval

Determines whether the membership provider supports retrieval of passwords. This property can only be set to true when the Clear or Encrypted password formats are used.

applicationName

Used to group user information and allows for the management of multiple sets of users within a single database. The default SqlMembershipProvider uses the backslash "/" as the default applicationName. You could configure multiple providers, each with a distinct application name, to group users by application name.