1

Haven't done security in ASP.NET before. Need to secure an MVC site - simple username/password access for admin access to the site's logs and admin areas, not for general users.

Looked into Identity/OWIN, and it is, as of this writing, half-baked. There are multiple ways to do things, the docs are few or non-existent, and blogs dicuss deprecated or alpha versions. The samples don't correspond to anything in the docs or blogs. In short, it's a mess.

Security is hard, so I want to use something that was written by an expert, works and is tried-and-tested. Must be from Microsoft, not some third-party stuff.

So what security API came before Identity/OWIN, which works well and hasn't been compromised? They've released many, so I don't know which to use?

h bob
  • 3,610
  • 3
  • 35
  • 51

2 Answers2

1

The predecessor to Identity/OWIN was SimpleMembership.

However, according to my question "What is MVC4 security all about?", SimpleMembership is an oxymoron.

Community
  • 1
  • 1
Rowan Freeman
  • 15,724
  • 11
  • 69
  • 100
  • Wow...well, in light of this, would you recommend avoiding it and trying/battling to get Identity to work instead? – h bob Sep 01 '14 at 06:40
  • I think so. I'm inclined to recommend that you implement it your own way (i.e. roll your own membership) or at least use some built-in membership and supplement it as necessary. The reason why it's so complicated is that membership is very per-case specific. It's very hard to get a one-solution-fits-all. I don't like the Users/Roles system ([magic strings](http://en.wikipedia.org/wiki/Magic_string) everywhere?), or what the built-in solution may think I need. It's probably wrong for my case. – Rowan Freeman Sep 01 '14 at 06:49
  • Even if I only need username/password type security? Surely I can rely on the vanilla API for that? – h bob Sep 01 '14 at 08:16
1

Forms Authentication with custom Membership and Role Providers were used for years and still can be used. The SimpleMembership is something that tries to simplify the original provider model but sacrifices too much, in my opinion plus it us still not that simple.

There are thousands of tutorials on Forms Authentication and you should be able to start immediately. The Membership/Role Provider model is also extremely well documented.

In terms of correspondence

  • Membership/Role Providers correspond to the Identity api
  • Forms Authentication corresponds to the owin security api
Wiktor Zychla
  • 47,367
  • 6
  • 74
  • 106
  • Was it deprecated because it was insecure? I don't need fancy features like they have in SimpleMembership/Identity, but I do need rock solid security. – h bob Sep 01 '14 at 09:02
  • No, it is still secure. It just not extensible as easy as identity/owin and doesn't easily support federated authentication. I'd say majority of .net web apps still stick with forms auth. The identity framework is still considered "too young" by core developers. – Wiktor Zychla Sep 01 '14 at 11:04