Display custom errors when using ASP.NET MembershipProvider

Question

I'm using a custom MembershipProvider in my application, and it's all wired up correctly. The only missing piece is the ability to display custom error messages depending on the result of the authentication.

The ValidateUser() method only returns true or false, but I would like to also return a more detailed message in case the validation fails. At the moment I'm using a Session variable to store it, and then read that variable in the login page.

Is there a better way of doing it?

What kind of stuff do you want to check on exactly ? .. like if it's false is the credentials are wrong or he's just not approved .. this is the example in my head for now. Could you list the things you want to customize the error according to them ? — Mazen Elkashef, Apr 18 '11 at 16:50

score 0 · Answer 1 · answered Apr 14 '11 at 08:19

0

More detailed message from ValidateUser can produce security vulnerability.

You can validate input strings before call ValidateUser.

answered Apr 14 '11 at 08:19

gandjustas

1,925
14
12

What do you mean by validate input strings? – Farinha Apr 18 '11 at 14:11
Check for empty, length and invalid characters – gandjustas Apr 19 '11 at 10:11
That's all fine. What I need to validate, and display a message if there's a problem, is internal to the app. – Farinha Apr 20 '11 at 15:31

score 0 · Answer 2 · edited May 23 '17 at 12:20

As @gandjustas says, there's not much you can do from within the custom membership provider, as ValidateUser only gives true or false when authenticating, to reduce unintentional leakage of information that could help an attacker.

As you say, though, you may want to pass back more information to the user, such as "Your account has not yet been approved", and this is the situation that I am in. The following Stack Overflow posting may be of some assistance, particularly the first link given in the accepted answer.

Display custom errors when using ASP.NET MembershipProvider

2 Answers2