How to Enable Logons by Using the Commerce Server Membership Provider

With ASP.NET, you can specify a membership provider. ASP.NET invokes the membership provider when it has to perform actions that involve user registration and authentication. Commerce Server Core Systems includes a membership provider that integrates ASP.NET logon and registration controls with the data that is stored in user profiles.

To use the Commerce Server membership provider, you must modify the Web.config file to specify that you are using a custom membership provider.

You can configure the Commerce Server membership provider’s behavior in the following two ways:

  • You can add attributes to the membership element in the Web.config file to configure global actions that ASP.NET will take regarding users, such as how long a user can be logged in before the user’s connection times out.

  • You can add properties to the user profile or remove properties from the user profile to customize the fields that the registration Web page displays. Sometimes, if specific properties exist in the user profile, there are more actions customers can perform to manage their own user information.

For more information about the Commerce Server membership provider, see What Is the Commerce Server Membership Provider?.

Modifying the Web.config File

To use the Commerce Server membership provider, you must add the membership element to the Web.config file. You must also configure ASP.NET to use forms authentication. To obtain the default functionality of the Commerce Server membership provider, add the following XML code to the system.web element in the Web.config file:

<authentication mode="Forms" />
<membership defaultProvider="UpmProvider">
  <providers>
    <add name="UpmProvider"
type="Microsoft.CommerceServer.Runtime.Profiles.UpmMembershipProvider" />
  </providers>
</membership>

You can customize the behavior of ASP.NET with regard to users by adding optional attributes to the add element in the providers element. The behaviors you can change are the following:

  • Which Commerce Server Core Systems profile to obtain user information from.

  • How to handle password attempts that are not valid.

  • Whether approval is required to add a new user.

  • Whether passwords can be reset by the user.

  • Whether errors are written to a log file.

You can also use ASP.NET attributes that are not specific to Commerce Server Core Systems to customize other behaviors. For more information about the syntax and optional attributes of the membership, providers, and add elements, see membership Element. For more information about ASP.NET membership providers, go to https://go.microsoft.com/fwlink/?LinkId=56494.

Warning

By default, forms authentication does not encrypt cookies with SSL. To force forms authentication to use SSL, you must set requireSSL="true" in the forms element of the Web.config file that is used by your application.

Adding Logon and Registration Controls to Your Web Site

After you add the Commerce Server membership provider to the Web.config file, you can create a logon page by adding the ASP.NET logon control to your Web page. You can create a page that lets a new user register for an account by adding the ASP.NET registration control to your Web page.

How Using the Commerce Server Membership Provider Affects the User Profile

Certain properties of the user profile affect the behavior of the Commerce Server membership provider. The user profile must have some specific properties. The presence or absence of other properties on the user profile affects the functions that are available to the user of your Web site.

The following properties must exist for the user profile:

  • GeneralInfo.user_id

  • GeneralInfo.user_security_password

  • GeneralInfo.email_address

Note

The Commerce Server membership provider requires a property to use for the default value of the logon name. If you do not specify another property, the membership provider uses the GeneralInfo.email_address property as the default value of the logon name. The property that you use for the default value of the logon name is a required property.

If the user profile definition contains specific properties, the Web site will provide additional functionality. The following is a list of these properties and their effects:

  • GeneralInfo.password_question (string) and GeneralInfo.password_answer (encryptable string). If these properties are present, the user will be required to provide the correct answer to the question before resetting a password.

    Note

    If there is no password set in the user’s profile, the user will not be able to reset the password.

  • AccountInfo.account_status (site term). If the account's status is Approved, the user can log on; otherwise, the user cannot log on. If the account's status is Inactive or Unapproved, the ValidateUser method returns false. Otherwise, the ValidateUser method returns true.

    Valid values are Active, Inactive, and Unapproved.

  • ProfileSystem.date_created (datetime). If this property is present, the time that the account was created is recorded in local server time.

  • ProfileSystem.date_last_logon (datetime). If this property is present, the time that the user most recently logged on is recorded in local server time.

  • ProfileSystem.date_last_password_changed (datetime). If this property is present, the time that the user most recently changed the password is recorded in local server time.

  • GeneralInfo.comment. If this property is present, an administrator will be able to add a comment to the user account.

  • ProfileSystem.last_activity_date (datetime). If this property is present, the time that the user most recently used the site is recorded in local server time.

  • GeneralInfo.email_address (string). If this property is present, the FindUsersByEmail and GetUserNameByEmail methods are enabled. If this property is marked as a unique key, the Commerce Server membership provider makes sure that the e-mail address is unique.

The metadata of the GeneralInfo.user_security_password property indicates how passwords are encrypted. The following are valid values for the metadata of the GeneralInfo.user_security_password property:

  • MembershipPasswordFormat.Clear

  • MembershipPasswordFormat.Hashed

  • MembershipPasswordFormat.Encrypted

The default value is MembershipPasswordFormat.Hashed.

If you add new required properties to the user profile, you will not be able to use the Membership object to create users.

See Also

Other Resources

How to Validate Passwords

How Does Account Lockout Work?