Friday, February 05, 2010

Sitecore 6 quick tip. Email as user name for authentication


It is pretty common to have email served as username for authentication in web systems for both visitors and internal users. Sitecore Content Management System is no exception.

With 5.3 it was pretty easy since users were just items – adjust the regex of the “ItemNameValidation” setting, make sure you don’t have @ and dots in the “InvalidItemNameChars” setting and you are pretty much set.

Now as you know, Sitecore 6 has different rules for security so you will need to do the following to make it work:
1. Make sure the membership provider treats email as a unique attribute for users so you don’t end up with more than one user attached to the same email:
<add name="sql" type="System.Web.Security.SqlMembershipProvider" connectionStringName="core" applicationName="sitecore" minRequiredPasswordLength="1" minRequiredNonalphanumericCharacters="0" requiresQuestionAndAnswer="false" requiresUniqueEmail="true" maxInvalidPasswordAttempts="256" />

2. Put email into both username and email properties (fields) of a user during the registration (can be handled via code).

3. Introduce the following entry into the web.config’s <settings> section. The “value” attribute parameter contains the regular expression used in the Create User dialog within User Manager. This regex should allow emails, otherwise Sitecore will fallback on a default regex that does not allow it.
<setting name="AccountNameValidation" value=".+" />

4. If you want to handle the case when email needs to be changed, either provide an extranet form for the profile section on your website or you can even take it one step forward – modify the EditUser dialog within User Manager to have this ability.

Happy coding!

4 comments:

Unknown said...

If you use the email address as the username instead of having a true and permanent unique ID, then when the user updates their email address, you can lose track of their history in things like comments, etc. (anything that references the user by their login/address) So if you take this route, when they change their address, you should do something that updates any records that contain the old login/address. If you own all of the email addresses (such as an Intranet, or something like Yahoo!), you know the addresses won't change often (they still do when someone changes their name, often due to marriage). Plus, I can never remember which email address I used on a Web site several years ago, but I can always find one of my common login available when I register.

Ronald Nieuwenhuis said...

Hi Alex,

Great and helpfull post. The only thing I found confusing was the setting requiresuniqueemail to true. This is not nececessary to force unique (email) username's.

Greetings,

Ronald Nieuwenhuis.

shejoy said...

Is there a way to send a email when a user is created with soemthign like "welcome to sitecore"?

Unknown said...

Sure you can! You can subscribe to the "user:created" event which is defined in web.config and send that email via standard .NET facilities.