21

I have used ASP.NET 2.0 Membership Provider in the past for sites with Forms authentication.

I'm working on a new site in ASP MVC 3, and I'm curious if there are any more modern, better, more secure, membership/security implementations than the .NET 2.0 Membership Provider built in to .NET 4.0, or Open Source, etc.

If they exist, what kinds of security goodies do they support?

I've read this question and answers and I understand the benefits for using a built-in solution but I'm curious if there have been any major improvements since .NET 2.0's built in solution.

I don't want to "roll my own" because of the risks involved in getting it wrong.

Thanks.

Community
  • 1
  • 1
J.r. Hounddog
  • 257
  • 1
  • 6

2 Answers2

4

I haven't heard of anything more secure over the shipped asp.net providers, however, I do like using Altaris Web Security.

What I liked best about these guys is the deployment is much simpler that the shipped providers, alternative storage methods (plain-text or XML files, handy for small intranet sites with no roles to implement) to a dead-simple three-table implementation of the SqlMembersipProvider.

Rocjoe
  • 459
  • 4
  • 13
  • This looks like a nice alternative to simplify the ASP.NET Membership provider. It looks pretty clean, simple, and straightforward, which is a plus. Does it contain anything more "modern" in the world of security than the built in solution? – J.r. Hounddog Jun 03 '11 at 13:05
  • @J.r. Hounddog - Modern? No, doesn't look it to me. But then security doesn't change all that fast or often. – Rocjoe Jun 03 '11 at 22:43
2

There is also WIF (Windows Identity Foundation), wich leverages SAML tokens to perform federation identity. This approach allows you to externalize your Identity requirements to an external and specialized platform.

While the solution proposed by Rocjoe is designed for simple and small applications, WIF is designed to simplify big ones.

Personally, I like the modularity and separation provided by WIF.

However, be aware that deploying an Identity Federation platform can have a quite steep learning curve, and requires an SSL certificate. It can be worth the investment however.

Magnus Lindhe
  • 7,157
  • 5
  • 48
  • 60
Eilistraee
  • 8,220
  • 1
  • 27
  • 30
  • Would you say WIF is mainly used for large applications? Would it be considered overkill for a small-medium sized application? – J.r. Hounddog Jun 03 '11 at 00:56
  • Technically, WIF is designed to abstract the notion of identity from your application. IE: Once WIF is enabled, reusing your identity system on other applications is a breeze. And if you want to enable OpenId, Facebook Id, Domain auth etc... you will only have to update the Identity Provider, not the apps using it. If you want to extend your Identity mechanisms later, WIF or other Identity provider tools are the way to go. Keep in mind that deploying it involves getting familiar with quite a lot of security and identity management concepts. It won't exactly work out of the box. – Eilistraee Jun 03 '11 at 08:15
  • +1. It seems WIF supports a lot of security goodies, but comes with a small price. Thank you for your explanations. – J.r. Hounddog Jun 03 '11 at 12:59