A member that has changed their email address/user name, can still login with the old value

[AndyButland]

Which exact Umbraco version are you using? For example: 9.0.1 - don't just write v9

8.17.1

Bug summary

With a standard setup for member login and profile update, if we allow a member to update their user name, they are able to subsequently login with both the old and new user name.

Specifics

This looks to be happening due to caching at the repository level and can be resolved by injecting the IsolatedCaches:

    public class AccountController : SurfaceController
    {
        private readonly IMemberService _memberService;
        private readonly IsolatedCaches _isolatedCaches;

        public AccountController(
            IMemberService memberService,
            AppCaches appCaches)
        {
            _memberService = memberService;
            _isolatedCaches = appCaches.IsolatedCaches;
        }

       ...

And running code like the following after the member's profile has been saved:

    var memberRepoCacheAttempt = _isolatedCaches.Get<IMember>();
    if (memberRepoCacheAttempt.Success)
    {
        var memberRepoCache = memberRepoCacheAttempt.Result;
        memberRepoCache.ClearByKey(
            $"uRepo_IMember_{currentEmail.ToUpperInvariant()}");

This resolution is perhaps though requiring a developer to dig around in the Umbraco internals that we wouldn't ideally need to ask them to to do, as ideally Umbraco would handle this cache clearing (or at least provide a higher-level API to do so). For example, relying on knowing the specific key used by the cache isn't really something a solution developer should have to work with, and as it's really an internal detail rather than a public API, there may be small risk it could change in future versions.

Steps to reproduce

• Set up a member login and profile display/update using standard Umbraco snippets and techniques.
• Process an update of the user's user name and email address using something like the following:

    var memberId = Members.GetCurrentMemberId();
    var member = _memberService.GetById(memberId);
    member.SetValue("firstName", model.FirstName);
    member.SetValue("lastName", model.LastName);
    
    var currentEmail = member.Email;
    var isEmailAddressUpdated = !currentEmail.Equals(model.Email);
    if (isEmailAddressUpdated)
    {
        member.Email = model.Email;
        member.Username = model.Email;
    }
    
    _memberService.Save(member);

• Logout and try to login again with the old and new user name, and note that both succeed.

Expected result / actual result

Logging in with the old user name should fail.

Under the hood it would be good if Umbraco can detect the user name has been changed, and if so, clear the underlying cache for the old user name.

[nul800sebastiaan]

Sure thing! This has been like this since forever I remember so we'd be happy for a fix.

[Migaroez]

This issue does no longer exists in v10, probably not in v9 either as the Membership provider changes have probably "fixed" this