Sitecore Users and C#

The Sitecore security framework is based on the .NET security. Managing Authentication, Authorization, User Accounts and Roles can be done using the standard System.Web.Security namespace.

But Sitecore also provides its own Security framework that you can use for easy manipulation of users and roles seen from a Sitecore perspective.


There is 2 things you need to know about Security in Sitecore:

  • Sitecore prefixes user names with a domain name. This is used to differentiate users between those with access to the Sitecore editor (domain: sitecore) and those with access to the Sitecore extranet (domain: extranet).
    So when accessing Sitecore users from System.Web.Security, make sure you remember to ask for sitecore\admin, and not admin.
    (Advanced Sitecore users know that you can create as many domains as you like).
  • In Sitecore there is no such thing as “not been logged in”. If you are not logged in, you will have a user called “extranet\Anonymous“.
    This means that you will always have a user, no matter the context you are running in.


Get a user from the domain name, user name and password:

using System.Linq;
using Sitecore.Common;
using Sitecore.Security;
using Sitecore.Security.Accounts;

namespace PT.Framework.NemLogin
  public class UserRepository
    /// <summary>
    /// Gets the <see cref="Sitecore.Security.Accounts.User"/>.
    /// </summary>
    /// <param name="domainName">Name of the domain.</param>
    /// <param name="userName">Name of the user.</param>
    /// <param name="password">The password.</param>
    /// <returns><see cref="Sitecore.Security.Accounts.User"/> if found or null if not found</returns>
    public static User GetUser(string domainName, string userName, string password)
      if (!System.Web.Security.Membership.ValidateUser(domainName + @"\" + userName, password))
        return null;
      if (User.Exists(domainName + @"\" + userName))
        return User.FromName(domainName + @"\" + userName, true);
      return null;

The above function demonstrates how you can use the System.Web.Security and the Sitecore.Security namespace simultaneously. The function first validates the user using standard .NET security, then uses the Sitecore namespace to get the user.


The following function will do a login of a specified user:

using Sitecore.Security.Accounts;

using Sitecore.Security.Authentication;
using Sitecore.Web.Authentication;

public static bool Login(string domainName, string userName, string password)
 return AuthenticationManager.Login(domainName + @"\" + userName, password, false);

And this function will also do a login, but it utilizes the Sitecore TicketManager. The TicketManager manages persistent logins and is used to remember you when you log into the Sitecore backend:

public static bool Login(User user)
  string ticketID = TicketManager.GetCurrentTicketId();
  if (!string.IsNullOrEmpty(ticketID))
  return AuthenticationManager.Login(user);

Managing Custom Properties on User Profiles:

This is an example on how to store custom data on a user profile, and later search for the user based on the value in the custom field:


using System.Linq;
using Sitecore.Common;
using Sitecore.Security;
using Sitecore.Security.Accounts;


namespace MyCode
  public class UserRepository
    public static User GetUserFromCustomField(string fieldName, string fieldValue)
      IFilterable<User> allUsers = UserManager.GetUsers();
      return allUsers.Where(user => user.Profile.GetCustomProperty(fieldName) == fieldValue).FirstOrDefault();

    public static void SetCustomField(User user, string fieldName, string fieldValue)
      UserProfile profile = user.Profile;
      profile.SetCustomProperty(fieldName, fieldValue);

Read more here:


About briancaos

Developer at Pentia A/S since 2003. Have developed Web Applications using Sitecore Since Sitecore 4.1.
This entry was posted in c#, Sitecore 6 and tagged , , , , , , , . Bookmark the permalink.

8 Responses to Sitecore Users and C#

  1. Thank you for sharing this Brian!

    I have a question around something I’ve seen in the past when using the SetCustomProperty method on the UserProfile object. Does the user need to be authenticated in order to use this method?

    I remember receiving exceptions in the past when invoking this method on a user that was not logged in. In one case, I had to “silently” log-in as the user in order to update custom properties — a kludgy solution in my opinion. If users must be authenticated when using this method, is there a “clean” way of invoking this method without having to log-in as the user?




  2. briancaos says:

    In the code where I use this call, the user is not authenticated. I use the Getuser() function to find my user and then sets the custom properties using SetCustomField().


  3. Thanks for your response!

    I’m beginning to remember that I did not always experience an exception when calling this method on users not authenticated.

    I think there was a particular scenario when this would occur, although it eludes me today as to what that particular situation was.

    I wrote that code over 3 and 1/2 years ago while employed at another company, and no longer have access to it.


  4. Pingback: .Net News – November Summary – Namics Weblog

  5. Pingback: Sitecore Virtual Users – authenticate users from external systems | Brian Pedersen's Sitecore and .NET Blog

  6. Pingback: Sitecore separate users from CORE database – move membership provider to separate database | Brian Pedersen's Sitecore and .NET Blog

  7. Pingback: Sitecore: Login to website and how to restrict access to content | Brian Pedersen's Sitecore and .NET Blog

  8. Pingback: Which of my old Sitecore posts are still valid in Sitecore 9? | Brian Pedersen's Sitecore and .NET Blog

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.