9

I have to come up with a membership solution for a very large website. The site will be built using ASP.NET MVC 2 and a MS SQL2008 database.

The current Membership provider seems like a BIG overkill, there's way too much functionality.

All I want to store is email/password and basic profile information such as First/LastName, Phone number. I will only ever need 2 roles, administrators & users.

What are your recommendations on this type of scenario, considering there might be millions of users registered? What does StackOverflow use?

I've used the existing Membership API a lot in the past and have extended it to store additional information etc. But there's tables such as 

aspnet_Applications
aspnet_Paths
aspnet_SchemaVersions
aspnet_WebEvent_Events
aspnet_PersonalizationAllUsers
aspnet_PersonalizationPerUser

which are extremely redundant and I've never found use for.

Edit
Just to clarify a few other redundancies after @drachenstern's answer, there are also extra columns which I have no use for in the Membership/Users table, but which would add to the payload of each select/insert statements.

  1. MobilePIN
  2. PasswordQuestion/PasswordAnswer (I'll do email based password recovery)
  3. IsApproved (user will always be approved)
  4. Comment
  5. MobileAlias
  6. Username/LoweredUsername (or Email/LoweredEmail) [email IS the username so only need 1 of these]

Furthermore, I've heard that GUID's aren't all that fast, and would prefer to have integers instead (like Facebook does) which would also be publicly exposed.

How do I go about creating my own Membership Provider, re-using some of the Membership APIs (validation, password encryption, login cookie, etc) but only with tables that meet my requirements?

Links to articles and existing implementations are most welcome, my Google searches have returned some very basic examples.

Thanks in advance
Marko

Marko
  • 71,361
  • 28
  • 124
  • 158

3 Answers3

13

@Marko I can certainly understand that the standard membership system may contain more functionality than you need, but the truth is that it really isn't going to matter. There are parts of the membership system that you aren't going to use just like there are parts of .Net that you aren't going to use. There are plenty of things that .Net can do that you are never, ever going to use, but you aren't going to go through .Net and strip out that functionality are you? Of course not. You have to focus on the things that are important to what you are trying to accomplish and work from there. Don't get caught up in the paralysis of analysis. You will waste your time, spin your wheels and not end up with anything better than what has already been created for you. Now Microsoft does get it wrong sometimes, but they do get a lot of things right. You don't have to embrace everything they do to accomplish your goals - you just have to understand what is important for your needs.

As for the Guids and ints as primary keys, let me explain something. There is a crucial difference between a primary key and a clustered index. You can add a primary key AND a clustered index on columns that aren't a part of the primary key! That means that if it is more important to have your data arranged by a name (or whatever), you can customize your clustered index to reflect exactly what you need without it affecting your primary key. Let me say it another way - a primary key and a clustered index are NOT one in the same. I wrote a blog post about how to add a clustered index and then a primary key to your tables. The clustered index will physically order the table rows the way you need them to be and the primary key will enforce the integrity that you need. Have a look at my blog post to see exactly how you can do it.

Here is the link - http://iamdotnetcrazy.blogspot.com/2010/09/primary-keys-do-not-or-should-not-equal.html.

It is really simple, you just add the clustered index FIRST and then add the primary key SECOND. It must be done in that order or you won't be able to do it. This assumes, of course, that you are using Sql Server. Most people don't realize this because SQL Server will create a clustered index on your primary key by default, but all you have to do is add the clustered index first and then add the primary key and you will be good to go. Using ints as a primary key can become VERY problematic as your database and server system scales out. I would suggest using Guids and adding the clustered index to reflect the way you actually need your data stored.

Now, in summary, I just want to tell you to go create something great and don't get bogged down with superficial details that aren't going to give you enough of a performance gain to actually matter. Life is too short. Also, please remember that your system can only be as fast as its slowest piece of code. So make sure that you look at the things that ACTUALLY DO take up a lot of time and take care of those.

And one more additional thing. You can't take everything you see on the web at face value. Technology changes over time. Sometimes you may view an answer to a question that someone wrote a long time ago that is no longer relevant today. Also, people will answer questions and give you information without having actually tested what they are saying to see if it is true or not. The best thing you can do for your application is to stress test it really well. If you are using ASP.Net MVC you can do this in your tests. One thing you can do is to add a for loop that adds users to your app in your test and then test things out. That is one idea. There are other ways. You just have to give it a little effort to design your tests well or at least well enough for your purposes.

Good luck to you!

Kila Morton
  • 205
  • 1
  • 5
  • that's a very good answer, and a very good idea with the indexes/primary keys. I *will* need to store an 8 digit ID for each user, so should I just add an extra column with autoincrement? Would you index that column instead? – Marko Nov 14 '10 at 20:34
  • @Marko is that column something that you will be searching and joining on? If it is, then I would apply an index to that. Since you can only apply one clustered index to your table, I would think about the column that is going to be used the most for searches/joins and apply the clustered index accordingly. Remember that the clustered index actually changes the physical order of your table data. Non clustered indexes don't. Don't worry about it too much at first. You can use tools to benchmark as you go along and figure out which indexes may work best for you and change them accordingly. – Kila Morton Nov 15 '10 at 00:53
5

The current Membership provider seems like a BIG overkill, there's way too much functionality.

All I want to store is email/password and basic profile information such as First/LastName, Phone number. I will only ever need 2 roles, administrators & users.

Then just use that part. It's not going to use the parts that you don't use, and you may find that you have a need for those other parts down the road. The classes are already present in the .NET framework so you don't have to provide any licensing or anything.

The size of the database is quite small, and if you do like I do, and leave aspnetdb to itself, then you're not really taking anything from your other databases.

Do you have a compelling reason to use a third-party component OVER what's in the framework already?

EDIT:

there are also extra columns which I have no use for in the Membership/Users table, but which would add to the payload of each select/insert statements.

MobilePIN PasswordQuestion/PasswordAnswer (I'll do email based password recovery) IsApproved (user will always be approved) Comment MobileAlias Username/LoweredUsername (or Email/LoweredEmail) [email IS the username so only need 1 of these]

This sounds like you're trying to microoptimize. Passing empty strings is virtually without cost (ok, it's there, but you have to profile to know just how much it's costing you. It won't be THAT much per user). We already routinely don't use all these fields in our apps either, but we use the membership system with no measurable detrimental impact.

Furthermore, I've heard that Guid's aren't all that fast, and would prefer to have integers instead (like Facebook does) which would also be publicly exposed.

I've heard that the cookiemonster likes cookies. Again, without profiling, you don't know if that's detrimental. Usually people use GUIDs because they want it to be absolutely (well to a degree of absoluteness) unique, no matter when it's created. The cost of generating it ONCE per user isn't all that heavy. Not when you're already creating them a new account.

Since you are absolutely set on creating a MembershipProvider from scratch, here are some references:

http://msdn.microsoft.com/en-us/library/system.web.security.membershipprovider.aspx

https://web.archive.org/web/20211020202857/http://www.4guysfromrolla.com/articles/120705-1.aspx

http://msdn.microsoft.com/en-us/library/f1kyba5e.aspx

http://www.amazon.com/ASP-NET-3-5-Unleashed-Stephen-Walther/dp/0672330113

Stephen Walther goes into detail on that in his book and it's a good reference for you to have as is.

Community
  • 1
  • 1
jcolebrand
  • 15,889
  • 12
  • 75
  • 121
  • @Marko I updated mine as well. I think you're microoptimizing something that you just need to consume and get past, unless you're in the business of creating membership controls. – jcolebrand Nov 13 '10 at 23:59
  • Thanks for your update @drachenstern, but I still disagree. Why have extra payload if I can remove it all together? When we're talking about querying a list of users, even if each user contained <1kb of `extra` payload, a list of 1000 users would mean 1mb of extra data, no? Also regarding GUIDs vs INTs, see these questions http://stackoverflow.com/questions/829284/guid-vs-int-identity and http://stackoverflow.com/questions/404040/how-do-you-like-your-primary-keys/404057#404057 – Marko Nov 14 '10 at 00:10
  • @Marko well I went ahead and gave you several links at the bottom that I think you should look into. They discuss what things are needed to be considered and the inherits you must do. I recommend the book regardless. ~ As for the <1kb of data, I don't know how big your server database disks are, but my disks are terrabytes in size, so an extra megabit or megabyte of data is not something I'm going to miss. And by the time I get to a million users I've decided exactly what information I need to store in the database. At that point you're going to be up for a rewrite anyways. – jcolebrand Nov 14 '10 at 00:13
  • @Marko - i share your pain with the membership provider, but keep in mind when you write a new one, your losing all the built-in membership provider API functionality (security most important). Stack uses OpenId - which is an option if your doing a new website, but you can't migrate existing users. I agree with @drachenstern - just use the parts you want. Take into consideration the security concerns of your website - if it's a simple, non-mission critical app then fine - by all means write your own. – RPM1984 Nov 14 '10 at 00:52
3

My recommendation would be for you to benchmark it. Add as many records as you think you will have in production and submit a similar number of requests as you would get in production and see how it performs for your environment.

My guess is that it would be OK, the overhead that you are talking about would be insignificant.

Hector Correa
  • 26,290
  • 8
  • 57
  • 73
  • so you agree with me he needs to profile under load? ;) ... also consider that this is a per-user-per-page access load, so you would have to not only generate user-login-load but also user-site-use-load with authenticated logins over sessions. And it's going to have to maintain per-"user" cookies. – jcolebrand Nov 14 '10 at 01:12
  • yup...I am assuming that if the are expecting millions of users then a good test environment is available for these kind of things. – Hector Correa Nov 14 '10 at 01:19