ASP.Net MVC 4 and WebSecurity - User Registration Confirmation through Email

asp.net-mvc-4 security simplemembership
Santosh picture Santosh · Jan 30, 2013 · Viewed 15.2k times · Source

I am using the default Internet Application template of ASP.Net MVC 4 project. The Register action in the Account controller is like this -

[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public ActionResult Register(RegisterModel model)
{
    if (ModelState.IsValid)
    {
        // Attempt to register the user
        try
        {
            WebSecurity.CreateUserAndAccount(model.UserName, model.Password);
            WebSecurity.Login(model.UserName, model.Password);
            return RedirectToAction("Index", "Home");
        }
        catch (MembershipCreateUserException e)
        {
            ModelState.AddModelError("", ErrorCodeToString(e.StatusCode));
        }
    }
    // If we got this far, something failed, redisplay form
    return View(model);
}

However, this does not provide any ready to use functionality to use email address for registration and steps to send email for confirmation & account activation. I see that Starter Site template of WebMatrix uses WebSecurity and provides the functionality I'm looking for, but it does not follow the standard MVC pattern. I could blend both the approaches to arrive at MVC 4 compatible solution, but I am looking for ready to use code to save time. Any good samples or pointers are very much appreciated. Thank you.

Answer

Kevin Junghans picture Kevin Junghans · Jan 30, 2013

Actually SimpleMembership is wired to support a 2 step confirmation. Go to this blog post to see how you extend the UserProfile to include an Email property. Modify the registration view to capture the email. Now when you create the new user use CreateUserAndAccount like this.

string confirmationToken = WebSecurity.CreateUserAndAccount(model.UserName, model.Password, new{Email = model.Email}, true);

Now you just send the confirmationToken in an email to the user using your favorite emailing method for ASP.NET MVC. I like Postal because you can use the Razor engine to generate the body of your email. The email body will contain a link to a new web page (controller/action) that has the confirmationToken as the id ({controller}/{action}/{id}). When the user clicks on the link your code will perform the confirmation using WebSecurity.ConfirmAccount. That is all that is required to add email confirmation to your MVC 4 application. There is a step-by-step guide for adding email confirmation to MVC 4 here.

Related questions

Secure Flag for ASPXAUTH Cookie

We have an externally facing application which was penetration-tested by an external security company. Application has been developed on ASP.NET MVC4 and running on IIS8/Windows 2012 Server. One of the vulnerabilities reported was ASPXAUTH is not secure. When I …

Read More
How to make Confirmation link activate accounts in MVC4?

I am building an MVC 4 application starting with the default internet application. My goal is to send a confirmation email to users as they register to the website, i have managed to send the confirmation email but when i click …

Read More
MVC 4 Intranet Authentication with Custom Roles

I have spent some time searching and found a lot of confusing answers, so I will post here for clarification. I am using MVC4 VS2012 created an Intranet site using domain authentication. Everything works. However, to manage the users that …

Read More