3

I am working on the login component of my asp.net application and part of the requirements is that the email-address would be used as the loginID.

For my "Customer" object, should I have a LoginID & an EmailAddress property or just EmailAddress? For the SQL database, would I need a LoginID field or just an EMailAddress field?

Update: In the "Edit Profile" page, the Customer has the ability to edit their email address.

Curious if someone has advice before I get too deep into this.

DNR
  • 3,706
  • 14
  • 56
  • 91

3 Answers3

4

You can do it either way you want - use the email address as the primary key, or use another external customer id field.

My personal preference would be to use another field, and have the email address be a property. The other field would be either a guid, or some other hard-to-guess sequence. I'd go this route for two reasons:

  1. From a security standpoint, if a developer does something sloppy like leak a guid in a url or hidden field, it's (marginally) less damaging than leaking actual customer email addresses.
    • It's harder to use automation to generate a bunch of GUIDs and find a user/password match than it is to buy a list of email addresses and feed those into an automated exploit kit.
  2. Ease of maintenance - people change email addresses. If you use the email address as a primary key, you have to figure out how to transfer account settings.

I know this wasn't asked for in the question, but you're obviously building your own login mechanism, and it sounds like you may not necessarily overly be experienced. In the interest of helping you avoid mistakes I've personally made in the past, here's some good reading:

http://www.codinghorror.com/blog/2007/09/youre-probably-storing-passwords-incorrectly.html

David
  • 72,686
  • 18
  • 132
  • 173
  • That said, I've worked with systems that work either way, and I hate idea of using the email address as a login mechanism badly enough that I'd go back to the business and try to change this requirement if there's any possibility of success. But plenty of sites and commercial shopping carts do it, so it's probably just me. – David Jul 16 '12 at 21:21
  • that is a good point... since the Customer has the ability to change their email address. – DNR Jul 16 '12 at 21:22
1

The best practice would be to ensure the login ID is unique. Email addresses are indeed unique, but you can run into issues if someone wishes to change their email address. I would recommend using a separate ID rather than email as the primary key.

Note also that there are some performance considerations when using the email address as a primary. There are some good responses in this very similar question: Use email address as primary key?.

Community
  • 1
  • 1
Ryan Kohn
  • 13,079
  • 14
  • 56
  • 81
  • I agree with that recommendation. +1. Not sure why someone would downvote this. It's a short answer, but good advice. – David Jul 16 '12 at 21:22
1

From experience I recommend you use a key combination between a unique ID of the row and the user's mail. And both you can use them as properties.

Shortys Oberto Dutari
  • 558
  • 6
  • 17