ASP.NET Membership.CreateUser appears to create multiple user records

Question

Bottom Line Up Front

Should I be seeing multiple user records in aspnet_Users for each user mapping to each of the applications specified in the aspnet_Applications table?

The Situation

I have a web application using ASP.NET forms security. Having created a number of users, I decided to take a look in the AspApplicationServices database which is specified as my provider. In the aspnet_Applications table there are two application records ("/", and "/MyAppNameHere") each with its unique application id.

In the aspnet_Users table, I noticed that I have twice as many users as I expected. One each for both applications (i.e. each user has a record specifying the ID of the "/" and "/MyAppNameHere" application records).

Is this the way it is supposed to work? I have looked about and have found no mention of this activity, or whether it is by design and what it might be for. If it is by design I have to conclude that any changes in user information will be propagated to all of the matching user recods, not just the "root" or the other.

Note: These users were created both through the application (using Membership.Create()) and through the configuration mini-app (Security->Create User).

web.config

<roleManager enabled="true">
  <providers>
    <clear />
    <add applicationName="/" name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="ApplicationServices"  />
    <add applicationName="/" name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" />
  </providers>
</roleManager>

Answer 1

The reason is that you have different Application names in your Membership provider and Role manager provider.

You set the application name of your membership provider to "/MyAppNameHere". Initially you didn't set the application name of your role manager provider. By default it uses the ApplicationVirtualPath as documented in http://msdn.microsoft.com/en-us/library/system.web.security.roleprovider.applicationname.aspx. Usually it is the virtual path of your web site ("/" in many cases).

As a result, when you call Membership.CreateUser(), it creates two records in aspnet_users. One for membership application id and one for role provider's application id. The two records have the same user name but have different user Ids (one for each application id).

The call also creates one record in aspnet_membership table (application id, userid, password etc). the Applicatin id and user id are from the record corresponding to the membership provider's application name, i.e., "/MyAppNameHere".

When you create a user role using call such as Roles.AddUserRole(), it will create a record in aspnet_UsersInRoles that uses the user id corresponding to the application id of role manager provider.

I couldn't find official document but http://weblogs.asp.net/gurusarkar/archive/2010/01/09/asp-net-mebership-creates-two-users-in-aspnet-users-table.aspx has some explanation. This diagram helps understand the table relationships.

Answer 2

You're most likely adding a user with a role, without having the out-of-box RoleProvider properly configured.

If you don't specify an ApplicationName in the roleManager section of the web.config it will create another user with the default application name "/" when you try and create a user.

<system.web>
    <roleManager enabled="true">
        <providers>
            <clear/>
            <add name="AspNetSqlRoleProvider"
                 connectionStringName="[ConnectionStringName]"
                 applicationName="[ApplicationName]"
                 type="System.Web.Security.SqlRoleProvider" />
        </providers>
    </roleManager>
</system.web>

Answer 3

Until asawyer posts an answer with his comments, I will just mark an answer myself.

Looks like the multiple records tie application specific users together. There is a general record created, and an application related record created, presumably to provide continuity between applications.