0

I am going to build two web applications, one in MVC and another in Web Forms. I am confused about whether I should use the built-in authentication system available in ASP.NET and MVC, or if I should create a custom authentication system of my own. Like creating my own AccountController with encrypted password storage, etc.

What I need to know is whether it makes more sense to use the built-in authentication or not. If not, then what things do I need to consider like encrypted passwords, etc. while creating my own Controller for this?

Jeremy Caney
  • 7,102
  • 69
  • 48
  • 77
Heemanshu Bhalla
  • 3,603
  • 1
  • 27
  • 53
  • This is a great topic, but it is not a good SO question. – jwatts1980 Jun 03 '15 at 21:08
  • Can you please tell me why it is not good question . Actually I need to know about this . I will be greatful if you tell me – Heemanshu Bhalla Jun 03 '15 at 21:10
  • 2
    SO is for specific questions about specific implementation. Not for discussions on best practices or recommendations. Though you may occasionally find questions on here like that, most of them are older, and those questions are discouraged now. Point is, you may get answers, but you may also get downvoted and have your question closed. Check out the help center for more info. – jwatts1980 Jun 03 '15 at 21:12
  • That said, check out this SO question for some really great links on building custom membership into MVC. I used these links to build a custom user and membership management system for a MVC website I built last year: http://stackoverflow.com/questions/14872202/custom-membership-and-role-provider-in-asp-net-mvc-4 – jwatts1980 Jun 03 '15 at 21:14
  • Actually I am willing to know whether is good approach if we use the built in one for authentication – Heemanshu Bhalla Jun 03 '15 at 21:18
  • The ability to build a custom membership system on top of MVC is definitely one of the values of the built-in ASP.NET authentication systems (the example @jwatts references appears to use the legacy membership provider, but a similar task can be accomplished using ASP.NET Identity as well). That said, unless you have specific requirements that are not satisfied by the out-of-the-box providers, I'd definitely recommend not reinventing the wheel. You can always create custom providers later if you find the out-of-the-box ones too limited. – Jeremy Caney Jun 03 '15 at 21:31

2 Answers2

1

You can use ASP.NET Identity 2 in both MVC and WebForm, but it is steep learning curve.

You can read ASP.NET identity from Adam Freeman's book which is free.

If you think ASP.NET Identity 2 is too much, you can use FormAuthentiation.

FYI: I highly suggest not to implement your own encryption algorithm. Creating an encryption algorithm requires a lot of skills and testing.

Password Hash Algorithm used by ASP.NET Universal Providers

private static string GenerateSalt()
{
    byte[] numArray = new byte[16];
    (new RNGCryptoServiceProvider()).GetBytes(numArray);
    string base64String = Convert.ToBase64String(numArray);
    return base64String;
}

private string EncodePassword(string pass, int passwordFormat, string salt)
{
    byte[] numArray;
    byte[] numArray1;
    string base64String;
    bool length = passwordFormat != 0;
    if (length)
    {
        byte[] bytes = Encoding.Unicode.GetBytes(pass);
        byte[] numArray2 = Convert.FromBase64String(salt);
        byte[] numArray3 = null;

        HashAlgorithm hashAlgorithm = HashAlgorithm.Create("SHA1");

        if (hashAlgorithm as KeyedHashAlgorithm == null)
        {
            numArray1 = new byte[(int) numArray2.Length + (int) bytes.Length];
            Buffer.BlockCopy(numArray2, 0, numArray1, 0, (int) numArray2.Length);
            Buffer.BlockCopy(bytes, 0, numArray1, (int) numArray2.Length, (int) bytes.Length);
            numArray3 = hashAlgorithm.ComputeHash(numArray1);
        }
        else
        {
            KeyedHashAlgorithm keyedHashAlgorithm = (KeyedHashAlgorithm) hashAlgorithm;
            if (keyedHashAlgorithm.Key.Length != numArray2.Length)
            {

                if (keyedHashAlgorithm.Key.Length >= (int) numArray2.Length)
                {
                    numArray = new byte[(int) keyedHashAlgorithm.Key.Length];
                    int num = 0;
                    while (true)
                    {
                        length = num < (int) numArray.Length;
                        if (!length)
                        {
                            break;
                        }
                        int num1 = Math.Min((int) numArray2.Length, (int) numArray.Length - num);
                        Buffer.BlockCopy(numArray2, 0, numArray, num, num1);
                        num = num + num1;
                    }
                    keyedHashAlgorithm.Key = numArray;
                }
                else
                {
                    numArray = new byte[(int) keyedHashAlgorithm.Key.Length];
                    Buffer.BlockCopy(numArray2, 0, numArray, 0, (int) numArray.Length);
                    keyedHashAlgorithm.Key = numArray;
                }
            }
            else
            {
                keyedHashAlgorithm.Key = numArray2;
            }
            numArray3 = keyedHashAlgorithm.ComputeHash(bytes);
        }

        base64String = Convert.ToBase64String(numArray3);
    }
    else
    {
        base64String = pass;
    }
    return base64String;
}
Win
  • 61,100
  • 13
  • 102
  • 181
  • so you mean to recommend the built in Authentication provided by mvc . – Heemanshu Bhalla Jun 03 '15 at 21:16
  • Both MVC and WebForm in VS2013 comes with ASP.NET Identity 2. – Win Jun 03 '15 at 21:17
  • Actually I am willing to know whether is good approach if we use the built in one for authentication . what do you think if we make own Account controller with register and login module with 32 bit or 64 bit encryption for storing or retrieving passowords or important data – Heemanshu Bhalla Jun 03 '15 at 21:19
  • I personally do not like encrypting a password. Instead, I like hashed password (one way encryption) which is more security. I uploaded the hashed password algorithm. – Win Jun 03 '15 at 21:52
0

@Heemanshu Bhalla: As this is ultimately a design question, there is no right answer; it is going to depend on your precise requirements. Some questions you should be asking yourself, though:

  • Do you need to support third-party authentication (e.g., via OAuth, such as Facebook or Twitter)?
  • Do you need to provide two-factor authentication (e.g., SMS or email verification)?
  • Will this be integrated with an Entity Framework application?
  • Will you, in the future, need to provide authentication to external clients (e.g., mobile)?

As @Win notes, I would definitely avoid writing your own authentication or encryption systems. That said, if the answer to any of the above questions is "yes" then I would strongly consider the built-in ASP.NET Identity 2. Yes, as @Win says, it is a steep learning curve, but:

  • You can scaffold a basic setup using the Visual Studio project templates.
  • It will provide a strong foundation in case you need more advanced functionality later.
  • The legacy Forms Based Authentication, while easy to learn, is effectively deprecated.

If you're satisfied with the basic out-of-the-box functionality and don't mind a lot of pre-scaffolded code in your project, the Visual Studio project templates aren't difficult to get the gist of. That said, they definitely require patience and commitment to understand in full and, in particular, to provide more in-depth customizations to.

Jeremy Caney
  • 7,102
  • 69
  • 48
  • 77