ASP.NET Web Pages - WebSecurity Object


The WebSecurity Object provides security and authentication for ASP.NET Web Pages applications.

With the WebSecurity object you can create user accounts, login and logout users, reset or change passwords, and more.

WebSecurity Object Reference - Properties

Properties Description
CurrentUserId Gets the ID for the current user
CurrentUserName Gets the name of the current user
HasUserId Returns true if the current has a user ID
IsAuthenticated Returns true if the current user is logged in

WebSecurity Object Reference - Methods

Method Description
ChangePassword() Changes the password for a user
ConfirmAccount() Confirms an account using a confirmation token
CreateAccount() Creates a new user account
CreateUserAndAccount() Creates a new user account
GeneratePasswordResetToken() Generates a token that can be sent to as user by email
GetCreateDate() Gets the time the specified membership was created
GetPasswordChangeDate() Gets the date and time when password was changed
GetUserId() Gets a user ID from a user name
InitializeDatabaseConnection() Initializes the WebSecurity system (database)
IsConfirmed() Checks if a user is confirmed
IsCurrentUser() Checks if the current user matches a user name
Login() Logs the user in by setting a token in the cookie
Logout() Logs the user out by removing the token cookie
RequireAuthenticatedUser() Exits the page if the user is not an authenticated user
RequireRoles() Exits the page if the user is not a part of the specified roles
RequireUser() Exits the page if the user is not the specified user
ResetPassword() Changes a user's password using a token
UserExists() Checks if a given user exists

Technical Data

Name Value
Class WebMatrix.WebData.WebSecurity
Namespace WebMatrix.WebData
Assembly WebMatrix.WebData.dll

Initializing the WebSecurity Database

You must create or initialize an WebSecurity database before you can use the WebSecurity object in your code.

In the root of your web, create a page (or edit the page ) named _AppStart.cshtml.

Put the following code inside the file:


WebSecurity.InitializeDatabaseConnection("Users", "UserProfile", "UserId", "Email", true);

The code above will run each time the web site (application) starts. It initializes the WebSecurity database.

"Users" is the name of the WebSecurity database (Users.sdf).

"UserProfile" is the name of the database table that contains the user profile information.

"UserId" is the name of the column that contains the user IDs (primary key).

"Email" is the name of the column that contains user names.

The last parameter true is a boolean value indicating that the user profile and membership tables should be created automatically if they don't exist, otherwise false.


The WebSecurity Database

The UserProfile table contains one record for each user, with a user ID (primary key) and the user's name (email):

UserId Email
1 john@johnson.net
3 lars@larson.eut

The Membership table will contain membership information about when the user was created and if (and when) the membership was confirmed.

Much like this (some columns are not shown):

Password Password
1 12.04.2012 16:12:17 NULL True NULL AFNQhWfy.... 12.04.2012 16:12:17

Note: If you want to see all columns and all content, open the database with WebMatrix and look inside each table. 

Simple Membership Configuration

You might get errors using the WebSecurity object, if your site is not configured to use the ASP.NET Web Pages membership system SimpleMembership.

This can occur if a hosting provider's server is configured differently than your local server. To fix this, add the following element to the site's Web.config file:

<add key="enableSimpleMembership" value="true" />