I wrote my own after reading through all the stored procedures in the ASP. NET Membership provider. It's not hard and you have much more control at the end of the day If you like XML configuration, weakly-typed strings for roles, insecure by default, random web.
Config files littered through your directories instead of a clean marker interface on your page classes to say 'no account required', multiple database hits for a single login, user objects that aren't loaded from your current ObjectContext/DataContext and the ability to change providers on the fly (woo hoo, who uses that?! ) go for the built-in one If not, build your own, but if you do, make sure you add salt and encrypt your passwords, and do a proper encrypted cookie please.
I wrote my own after reading through all the stored procedures in the ASP. NET Membership provider. It's not hard and you have much more control at the end of the day.
If you like XML configuration, weakly-typed strings for roles, insecure by default, random web. Config files littered through your directories instead of a clean marker interface on your page classes to say 'no account required', multiple database hits for a single login, user objects that aren't loaded from your current ObjectContext/DataContext and the ability to change providers on the fly (woo hoo, who uses that?!) go for the built-in one. If not, build your own, but if you do, make sure you add salt and encrypt your passwords, and do a proper encrypted cookie please.
One of the first rules of creating a secure authentication system is that you shouldn't try to build the framework yourself. There are many pitfalls that can be easily overlooked. So, I would say unless there is an overwhelming reason to do otherwise, you should use an existing framework like the MembershipProvider.To list "the benefits" requires listing all security measures that were taken by the FormsAuthentication classes which is a long list.
Off the top of my head, I can think a few: Hashes of passwords Protection against SQL injection Protection of the cookie that stores the authentication ticket Use of and storage of a ticket instead of say a username in the cookie. Checking on every page to ensure the user is authenticated Population of the IPrincipal and IIdentity for the current user Redirection after login (granted a feature) Handling of failed login attempts Locking and unlocking users ActiveDirectory integration Ability to easily set and change password length and complexity requirements. Salting (from ...
I'm looking for clear, specific benefits that the framework offers. – alchemical Apr 17 '10 at 1:28 @alchemical - I've updated my post. Microsoft has taken great pains to provide a feature rich, relatively simple library for doing authentication.
Why try to reinvent the wheel? – Thomas Apr 17 '10 at 1:51 A good check list, but nothing hard. Add #12 - Salting.
Of course it also offers #13 - "Ability to store unencrypted password in the database" which is just such a bad idea. – ghtechrider Apr 17 '10 at 2:02 @ghtechrider - Out of the box, I believe the default setting is to use Hashes for passwords.I.e. , you have to go out of your way to make it insecure.
– Thomas Apr 17 '10 at 2:05 @alchemical - Your link at the top is broken. – Thomas Apr 17 '10 at 2:06.
Just to clear up a potential misconception, using the customer ID, encrypted or not is extremely vulnerable to sniffers. What you want to do instead is create a log in ticket at the time of successful authentication and store that ID in the cookie. This won't protect sniffers from stealing sessions, but at least the session (eventually) expires whereas the customer ID does not.
I see, so you suggest one additional level of abstraction. I think that's reasonable and not too terribly bad to implement. Isn't Membership storing the UserID in the cookie?
From MSDN: "You can store one value in a cookie, such as user name and last visit. " – alchemical Apr 17 '10 at 1:33 It could be, and you can. It's just important that you don't use that for determining if a user is authenticated.
If you want to say " " there's no danger if a hacker spoofs the value. On the other hand if you try if(IsAdmin(Username)) you could get yourself in trouble. – Spencer Ruport Apr 17 '10 at 19:39.
You can implement your own membership provider (as you mentioned) if you wish to have your own storage. One advantage is that you can administer memberships through IIS' . NET users configuration tool.
The biggest advantage is what the others stated already; why reinvent the wheel? If you implement your own custom login UI using MVC you could reuse also when switching for a different membership provider.
We will not be using the user config tool as there will be a massive number of members, any member admin tools will have to be custom. Regarding wheels do you drive an ox Cart or a Camry to work? :) – alchemical Apr 17 '10 at 1:30 It could still be useful if you can swap out the membership provider, for instance for testing purposes.
Of course it's not all the complicated to implement your own provider model. Just have to get the cookie thing right. Don't forget the cookieless authentication ASP.NET supports either.. – Tungano Apr 17 '10 at 1:36 Can use the FormAuthentication bit and the cookie part without any form of Membership Provider: stackoverflow.
Com/questions/2077858/… – Tungano Apr 17 '10 at 1:53.
You can customize to build your own provider. Behind the scenes the Membership provider uses the same FormsAuthentication implementation as you will write. Anyway, I have read that the main issues about the performance you will face will be related to the SQL SERVER stored procedures that retrieve the data.In one of the books about building a portal system by Omar Al Zabir he mentions some improvements to the stored procedure which can result in faster performance.
We're developing an ASP.Net MVC site that needs to support 100,000+ users. We'd like to keep it fast, scalable, and simple. We have our own SQL database tables for user and user_role, etc. We are not using server controls.
Given that there are no server controls, and a custom membershipProvider would need to be created, where is there any benefit left to use ASP.Net Auth/Membership? The other alternative would seem to be to create custom code to drop a UniqueID CustomerID in a cookie and authenticate with that. Or, if we're paranoid about sniffers, we could encrypt the cookie as well.
Is there any real benefit in this scenario (MVC and customer data is in our own tables) to using the ASP.Net auth/membership framework, or is the fully custom solution a viable route?
I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.