0

I've got a few top-level questions about ASP.NET Membership and Role providers. I've done some searching but am having a hard time finding some layman tutorials. I have been coding in ASP.NET for a while now but the only real experience I have with authentication is the use of FormsAuthentication.SetAuthCookie(usernameFromDatabase, false);

When I use the SetAuthCookie() method above am I using the ASP.NET Membership Provider? Correct me if I'm wrong please but I don't think I am. I am just setting an authentication cookie right? I usually implement my own custom methods in my data repositories like GetUser_ByUsername(string username) which then talks to the ORM and gets the right user.

  1. Do the Membership and Role Providers have their own data storage?
  2. What if I want to use my own data storage?
  3. Do I need to implement my own membership/role provider, and how would one go about doing that?
  4. Or is my way of just setting the auth cookie and then using my own retrieval methods, etc, the best way of doing a custom membership/role provider?

I'm just looking for a brief tutorial/explanation of this system. If you have any good references for me to look at I will happily take a look :)

CatDadCode
  • 58,507
  • 61
  • 212
  • 318
  • I decided to avoid implementing provider. It pollutes code with unnecessary stuff and God have mercy in case You let it into database. http://bit.ly/hDROpU – Arnis Lapsa Mar 25 '11 at 15:36
  • So can you not just code against some kind of interface and let your own code provide data to the provider? Does it actually have to access your database directly? That's horrible. – CatDadCode Mar 25 '11 at 15:45
  • You should really look at the [nerd dinner](http://nerddinner.codeplex.com/) source and how they implement auth. Or another simpler example is : Create a new project, don't say _empty project_ create a new _Internet Application_ project it will have some code for authentication. Its really helpful. – gideon Mar 25 '11 at 15:50
  • @Chevex : If you have an existing middle-tier, just hit that inside the custom `MembershipProvider` and you'll be good. This is just one more layer of abstraction that integrates with ASP.NET sites and controls. – Matt Bishop Mar 25 '11 at 15:56
  • @Matt is this still a recommended route even if I'm actually using ASP.NET MVC 3 rather than plain ASP.NET? – CatDadCode Mar 25 '11 at 16:00
  • @giddy that is a good idea. I will do that right now actually. Thanks for the suggestion. – CatDadCode Mar 25 '11 at 16:02
  • @Chevex it will be helpful, thats how I implemented my own auth scheme with my own tables and a fine grained permission system. [Posted it here](http://stackoverflow.com/questions/4359661/granular-permissions-with-certain-requirements-for-an-mvc-site/4565235#4565235) – gideon Mar 25 '11 at 16:05
  • @Chevex : Sure it is, in fact I use a custom one in some MVC projects of my own. You can use the controllers and models that come in the application template and simply plug your new provider in the web.config. – Matt Bishop Mar 25 '11 at 17:38

3 Answers3

2

Implementing a membership provider is not too hard. Note that you only need to implement the methods that you plan to actually use. The membership provider should be viewed as a means to interact with your user information from an authentication perspective. It won't create the auth cookie for you; you do that after a successful call to the ValidateUser method on the provider. It will allow you to develop an application against the provider interface and easily change which provider you want to use via configuration rather than rewriting the application code. I've successfully implemented several different membership providers, using my own schema, which support built-in and hybrid built-in/active directory authentication. More info available via the links below:

tvanfosson
  • 524,688
  • 99
  • 697
  • 795
2

SetAuthCookie() works with the Forms Authentication framework within ASP.NET which you can then adapt for integration with a membership provider.

  • Do the Membership and Role Providers have their own data storage?

They can, yes. There is an abstract implementation that you can subclass for your specific data needs. There is a SqlMembershipProvider you can use right out of the box, you just need a database to point to and create the needed tables. There is quite a bit of information on that class, like here or here.

  • What if I want to use my own data storage?

The SqlMembershipProvider does, but check out this alternative MySQL framework if you're interested in seeing how another DBMS does it.

  • Do I need to implement my own membership/role provider, and how would one go about doing that?

Using the built-in ones is pretty easy, but a lot of shops roll their own so that they can use existing tables. You'll need to implement this class.

  • Or is my way of just setting the auth cookie and then using my own retrieval methods, etc, the best way of doing a custom membership/role provider?

In all likelihood you'll need a stronger system, and a custom membership provider is a good idea.

Matt Bishop
  • 1,010
  • 7
  • 18
1

1 - Yes, if you use the built in membership/role providers they use tables created either in a separate database or an existing one. You use the tool aspnet_regsql.exe to create these tables - it walks you through a wizard. Alternatively, it can also be called from the command-line with different arguments in order to skip the wizard. This is some info from MS about creating the necessary DB/tables within your DB.

2 - You can do that, but you have to implement a custom membership provider, which isn't really difficult. Here and here are some tutorials.

3 - You don't necessarily need to unless you either want to use your own data stores or you need functionality from it that isn't present in the built-in providers.

4 - I would say you're better off using the built-in functionality ASP.NET provides for membership and roles.

Zann Anderson
  • 4,767
  • 9
  • 35
  • 56