MonoX support board

Start the conversation, ask questions and share tips and solutions with fellow developers.

Non-registered users can only browse through our support boards. Please register now if you want to post your questions. It takes a second and it is completely free. Alternatively, you can log in without registration using your credentials at major sites such as Google, Microsoft Live, OpenId, Facebook, LinkedIn or Yahoo.

MonoX allows one to register multiple accounts with same e-mail  (Mono Support )

Viewed 41058 time(s), 11 post(s) 6/5/2014 11:13:23 AMby Zoomicon
Zoomicon

Zoomicon

6/5/2014 11:13:24 AM

MonoX seems to allow one to register multiple accounts with same e-mail

1) can one ask for password reset giving a userid? hope the correct reset link is created in that case (based on the userid, not the email, since then it seems to default to the first account you had created)

2) if one asks for password reset giving an e-mail instead of userid, then they should receive a list (userid, resetlink) in their e-mail so that they can see that they have multiple accounts and reset the appropriate one. This could be useful if you have a class of small children and register all of them with separate usersids and the class or teacher's common e-mail account

3) is it possible to turn off this via web.config and request that all user accounts use the same e-mail at registration? This shouldn't break existing accounts that have same e-mail if turned on later on, should only be checked at user registration form. That is [1] and [2] above are needed anyway

4) a bit related: allowing the admin to merge multiple user accounts into a single one would be nice (and keep the login credentials of one of them he selects to be the remaining account). It would merge user uploads into a folder (that could be a problem with filenames that need to be resolved for duplicates automatically somehow) and also replace the userid for the older accounts with the one that was kept to keep

Rated 5.00, 2 vote(s). 
2793 Reputation 345 Total posts
Zoomicon

Zoomicon

6/5/2014 11:21:28 AM

Note that if you do register multiple accounts (usernames) with the same mail, you can still login OK to all of them (assuming you remember the username) using the username instead of using an e-mail.

 If you pass an e-mail to the login form then it logs on to the first account you had created (being the first means that a teacher could make an account for him first using the class e-mail, then make the student accounts with the same e-mail: teacher will be able to login both with username and e-mail and students only with username)

However, since students may not remember their username (neither their teacher) and still need a password reset, the [2] suggestion above is needed, that is to receive list of all your usernames with separate password reset links.

Also helps users who made multiple accounts by accident (registered again with other username cause they weren't sure if they had registered, or didn't remember username) to realize they have multiple accounts ([4] would help in that case, in that they'd ask admin to merge them [could have such a mention that they can ask the admin to merge them maybe in the reset e-mail if it sees they have multiple accounts])

---
</br>Also assuming [1] suggestion above works (that they can reset password giving username instead and reminder to be sent to teacher [so reminder mail should mention then for what username it is]). If not, needs to be implemented (be able to give username at password reminder form instead of email to send reminder mail that would write for what username it is)

Rated 5.00, 1 vote(s). 
2793 Reputation 345 Total posts
gstadter

gstadter

6/5/2014 12:16:18 PM
for what it is worth, I verified this behavior in v5.1.40.5015.
and I certainly agree... a check that the email addr is unique is very important.
If not unique, the user should be offered a link to password recovery mechanism.
Rated 5.00, 2 vote(s). 
669 Reputation 67 Total posts
khorvat

khorvat

6/6/2014 7:39:38 AM
Hi all,

as for 1) & 2) these depends upon your app configuration so if you misconfigure your app your will all kinds of weird behaviors.

"3) is it possible to turn off this via web.config and request that all user accounts use the same e-mail at registration? This shouldn't break existing accounts that have same e-mail if turned on later on, should only be checked at user registration form. That is [1] and [2] above are needed anyway
- you should first configure MonoX membership in the web.config so that you support only unique e-mails in the system. Then there are few techniques that can be used to partially merge accounts. We will get back to you on this if this is an option for you ?

"4) a bit related: allowing the admin to merge multiple user accounts into a single one would be nice (and keep the login credentials of one of them he selects to be the remaining account). It would merge user uploads into a folder (that could be a problem with filenames that need to be resolved for duplicates automatically somehow) and also replace the userid for the older accounts with the one that was kept to keep"
The full merge process is far more complex that you have described above as if has a lot more things to merge, update, sync etc. so we tend not to do that but rather use some other techniques to accomplish a merge.

"However, since students may not remember their username (neither their teacher) and still need a password reset, the [2] suggestion above is needed, that is to receive list of all your usernames with separate password reset links."
&
"Also assuming [1] suggestion above works (that they can reset password giving username instead and reminder to be sent to teacher [so reminder mail should mention then for what username it is]). If not, needs to be implemented (be able to give username at password reminder form instead of email to send reminder mail that would write for what username it is)"
These are all bugs or "features" of ASP.NET membership, MonoX has a feature in the configuration as it has unique e-mails set to false in the membership, which should be true by default because of the issues you are discovering. We will switch the e-mail setting to true and consider your proposal related to password recovery.

Thanks for a great feedback.
Regards
Rated 5.00, 1 vote(s). 
15993 Reputation 2214 Total posts
Zoomicon

Zoomicon

6/6/2014 11:26:42 AM
If I switch it now to true what will be the ramification for existing system where there may already be accounts with same e-mail? Will ASP.net through some error at portal startup (bad), or will it just not allow for new users to use multiple accounts with same e-mail? Plus will it show a friendly error message to the user in that case? (showing a question/link too if they want a password reminder under that message would be nice as gstadter suggested above)
This content has not been rated yet. 
2793 Reputation 345 Total posts
Zoomicon

Zoomicon

6/14/2014 1:48:55 PM

another strange issue we had:

user logged in with Facebook and they had there the same mail as an existing account in the system. It detected it fine and logged them in to their already existing account (was registered before with the classic non-social login)

then they tried to log in with google's social provider and it asked them for their e-mail. They gave their gmail, which was the same e-mail they were using in monox  (and in Facebook) already, but this time the system created a 2nd user (with the same e-mail). It should do deduplication as it did with FB instead and detect that the user already has account in the system and thus log them in after they prove that their e-mail is that one (btw would then need separate e-mail for verification or to rename activation e-mail to say "verification e-mail" to cover both situations, since in this case you wouldn't be doing new account activiation, but just verifying that google login is yours since it doesn't give the user e-mail to monox [although I posted in other topic some possible workarround for it, passing an additional request scope to OAuth2 to ask for the e-mail from Google])

This content has not been rated yet. 
2793 Reputation 345 Total posts
mzilic

mzilic

6/16/2014 9:49:51 AM
then they tried to log in with google's social provider and it asked
them for their e-mail. They gave their gmail, which was the same e-mail
they were using in monox  (and in Facebook) already, but this time the
system created a 2nd user (with the same e-mail).

In your web.config do you have requiresUniqueEmail set to true or false?
This content has not been rated yet. 
2218 Reputation 300 Total posts
Zoomicon

Zoomicon

6/21/2014 10:31:28 PM

had it to false and now changed to true, but the issue I think is that since she was already registered with that e-mail it should just give her a way to verify it's here e-mail and from then on use that social login provider (that wasn't giving back mail info) with that e-mail and log in to the user account that has with that e-mail registered in MonoX (as is done with the facebook provider)

This content has not been rated yet. 
2793 Reputation 345 Total posts
Zoomicon

Zoomicon

6/21/2014 10:33:04 PM
btw, I find it strange that the setting for unique e-mail requirement as at the row where you define the connection string. Does each user use a separate connection to the db? (no connection pool?)
This content has not been rated yet. 
2793 Reputation 345 Total posts
khorvat

khorvat

6/22/2014 7:07:49 AM
Hi,

  This is a standard ASP.NET membership setting, and the same connection string is used for every db connection. So every request for a page will check the user credentials with the separate connection to db.

You can get more details about the membership provider on the MSDN.

Regards
This content has not been rated yet. 
15993 Reputation 2214 Total posts
1 2