1

Is it possible to use WebSecurity or SimpleMembersshipProvider without a database? This is mainly because my web server would be consuming all the logic from a "central server" instead of accessing directly to the database.

Cristiano Coelho
  • 1,675
  • 4
  • 27
  • 50

1 Answers1

2

Sure. Please see how to implement a custom membership provider: http://www.codeproject.com/Articles/165159/Custom-Membership-Providers

Basically what you need to do is inherit the MembershipProvider class and implement basic methods like ValidateUser and the like and once finished register the new provider in web.config. You can use any data store you like.

Another option is to handle user authentication manually and using FormsAuthentication.Authenticate() to send auth cookies with user requests. This method also works with the [Authorize] filter, if you want I can send you a code sample.

Edit:

public class CustomAuthorizeFilter : AuthorizeAttribute
{
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        var authenCookie = httpContext.Request.Cookies.Get(FormsAuthentication.FormsCookieName);
        if (authenCookie == null) return false;

        return true;
    }

    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
    {
        filterContext.Result = new RedirectResult("/");
    }
}

Login method:

var ticket = new FormsAuthenticationTicket(1, // version 
                                   token, // user name
                                   DateTime.Now, // create time
                                   DateTime.Now.AddDays(1), // expire time
                                   model.RememberMe, // persistent
                                   ""); // user data, such as roles
var strEncryptedTicket = FormsAuthentication.Encrypt(ticket);
var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, strEncryptedTicket);
Response.Cookies.Add(cookie);
smisak
  • 36
  • 4
  • Making a custom membership provider, or simply using FormsAuthentication on my controller login code, would make [Authorize] already work? Even if i want to use Authorize with roles? Or should i implement my own Authorize filter? – Cristiano Coelho Apr 20 '13 at 22:17
  • Membership has so many "useless" operations, would it be possible for me to just create an interface with the operations i need and then implement it using FormsAuthentication? Would Authorize still work with it? – Cristiano Coelho Apr 20 '13 at 22:33
  • Sorry it took me time to see your question. [Authorize] filter will work if you simply use FormsAuthentication.Authenticate("some-email"). Also, if you want a custom solution consider writing your own Authorize filter. All you have to do is implement AuthorizeAttribute interface and override method OnAuthorization in which you check for example if the HttpContext.Request contains your custom cookie. If you want some sample code feel free to contact me. – smisak Apr 23 '13 at 18:37
  • I think i could use some examples on how to do a custom Authorize attribute. Google didn't help at all. – Cristiano Coelho Apr 24 '13 at 18:45
  • Sure: http://stackoverflow.com/questions/5070339/custom-authorize-attribute (AuthorizeCore is your main method. There you must check if users request contains your session cookie. I added some source code to my answer to make it easier. – smisak Apr 30 '13 at 07:29