19

Are there any alternatives\mods to .net Membership?

I find it quite restrictive;

  • Cant change Username, easily. You have to create a new user and copy the fields, but then you lose the primary key OR you have to edit the user table directly yourself.

  • Additional profile fields are stored together as one blob.

Dan
  • 29,100
  • 43
  • 148
  • 207

5 Answers5

13

ASP.Net membership uses a provider model. That means you are completely free to implement your own membership provider, or even inherit from and extend an existing provider, as long as you follow the provider contract.

Plus one for asking about existing alternatives rather than trying to build something new yourself, though.

Joel Coehoorn
  • 399,467
  • 113
  • 570
  • 794
8

I'll go ahead and list my alternative here. I've rolled my own authentication library, and I think it's awesome enough to be publicly released... So I did. It's designed to stay out of your way and overall, it's pretty minimalistic. I don't provide a lot of out of the box user controls, but on most websites I've seen those built-in user controls are never used. So instead of trying to make yet more flexible user controls, I decided instead to make it brain-dead simple to create your own login controls and such.

The project is called Fast, Secure, and Concise Authentication, or FSCAuth for short. It is BSD licensed. You can download it over at Binpress or at Bitbucket

It's flexible "UserStore" model(the Form's equivalent of provider) enables you to form your database anyway you want. It can support plain text files, XML, MongoDB, Sql Server, and anywhere in-between.

Here's a list of things where I think it particularly excels over Forms Authentication:

  • Stateless Authentication System. There is no requirement to keep track of user sessions in either the database or memory. This makes it trivial to scale up to multiple servers requiring few(if any) changes to your authentication code
  • Use anything as a Unique ID for each user. That's right, no more GUIDs! Anything that will fit in a string is fair game
  • HTTP Basic Authentication baked in. You can enable Basic Authentication just on pages you want(or globally) and you can make the same calls as if they were using the typical cookie-based authentication
  • Hard to make insecure. Because of how it works and I leave as little core-code as possible to the end user for actually doing authentication, it's extremely secure and will stay that way unless you just really try to break it. I handle cookies, HTTP Basic Auth, and all hashing. You just give FSCAuth a database to put it in.
  • BCrypt support for hashes is trivial. How to do it.. In Forms Authentication it is almost not possible
  • I like it :)

Of course it's also lacking, and to be fair I'll include a few things that are lacking

  • Authenticating static files in IIS 6 isn't possible(yet)
  • There is no brute-force prevention(yet). This means that you'll need to make sure the same person isn't trying to hit your login page 200 times in 2 seconds.
  • It's not built into ASP.Net
  • No Windows or Passport authentication (with no plans to ever add)
Community
  • 1
  • 1
Earlz
  • 62,085
  • 98
  • 303
  • 499
2

As the ASP.NET membership model is built around Providers, there are a number of alternatives available.

By default, users have a ProviderUserKey, which is a GUID, and that's the Primary key of the database, so you should be able to write something to change their username if you want.

In terms of the profile, yes, the default blob is fairly annoying. You could take a look at the SQL Table Profile Provider which maps profiles on to tables, or fairly quickly roll your own.

Dan
  • 29,100
  • 43
  • 148
  • 207
Zhaph - Ben Duguid
  • 26,785
  • 5
  • 80
  • 117
0

As far as changing the username goes, that can easily be accomplished by using the CreateNewUser() method and filling in the appropriate fields based on the current User, and then deleting the current user.

Profile fields are not part of the .NET Membership Provider model, but part of the Profile Provider. This is a highly debated topic and for most production machines, the correct way to go is to drop-in a better profile provider solution, such as this Table Profile Provider, which stores profile fields as you'd expect rather than as a memory-hogging blob. Alternatively, you can easily roll your own profile provider, check out the instructions here.

There are certainly .NET Membership alternatives, but most are buggy or have a small featureset. It really sucks to develop on top of one for two months and then realize it won't support all the functionality you need. .NET Membership is a proven solution and that's why it is used so often.

Dan
  • 29,100
  • 43
  • 148
  • 207
JoshJordan
  • 12,676
  • 10
  • 53
  • 63
  • 2
    If you create new user it will also generate new ID for it, right? Not good if user is already referenced by other tables. – XOR Mar 31 '09 at 20:07
  • No, but pretty simple to fix in your method for "changing" the username. – JoshJordan Mar 31 '09 at 23:04
0

As for the Profile there are a couple of alternatives out there. These two use either a table or let you call a stored procedure. Of course you can also implement your own. I personally got tired of using the Profile Providers, and found that dealing with the profile in my code was easier to control and contain.

As for the other issues, you can also implement your own provider. Microsoft released the source code to the SQL Providers so it can give you a starting point.

JoshBerke
  • 66,142
  • 25
  • 126
  • 164