Login/Register
Why should I use ASP.NET Membership security model?
Asked Answered
asp.netsecuritymembership
S

9

28

I'm updating my website at the moment and figure that if I am to update my login/security mode, now is a good time.

I have looked through the Membership model which is included in ASP.NET but I'm not convinced that it will provide any benefit apart from being familiar to other .NET developers.

There seems to be quite a lot of documentation for it, but little discussion for why its worth the effort.

Can anybody shed some light upon this?

Shed answered 13/1, 2009 at 20:5 Comment(1)
See also #2657310Bachelor
G
15

I see little benefit to using membership for a large site. This has been marketed as 'the' solution for ASP.Net authentication. However, really it looks like Microsoft is just trying to position the old Membership Server product as soemthing that everyone all of a sudden needs.

I worked on Membership Server at Msft around 10 years ago. Was also a lead developer on shop.microsoft.com, and I can tell you we used no internal server products on that site--not commerce server, not membership server. Not sure how they are doing it now--but I think the general consensus at that point was that those type of packages generally got in the way of what we were trying to do.

It could be useful for a smaller site, or if you have limited resources... i.e. a few hundred users for a departmental or small company intranet, where you don't want to invest much time or resources. The more I look at it, the more it seems completely inappropriate for larger, custom web sites.

What I really don't understand is how almost every ASP.Net book seems to push this as the only way to do it, rather than one way to do it.

Girasol answered 17/4, 2010 at 1:5 Comment(3)
IMO, this is a ridiculous comparison. You might as well be claiming that Membership Server is the same as AD. The MembershipProvider functionality and Membership Server work on entirely different technologies. The MembershipProvider will scale to whatever you db or AD store can handle. If you ever get to the point of actually hitting some upper limit in performance (unlikely), then write your own MP.Xylography
The effort to write a custom MP would appear to be roughly the same effort to write a completely custom solution. By going completely custom, the total amount of code at the end in the system will be about 20 times less, maybe 50 times less.Girasol
What is Membership Server? This question is about the ASP.NET Membership Provider model.Aulos
B
9

I wrote my own after reading through all the stored procedures in the ASP.NET Membership provider. It's not hard and you have much more control at the end of the day.

If you like XML configuration, weakly-typed strings for roles, insecure by default, random web.config files littered through your directories instead of a clean marker interface on your page classes to say 'no account required', multiple database hits for a single login, user objects that aren't loaded from your current ObjectContext/DataContext and the ability to change providers on the fly (woo hoo, who uses that?!) go for the built-in one.

If not, build your own, but if you do, make sure you store an encrypted/salted hash of your passwords, and do a proper encrypted cookie please.

[Updated to reflect feedback in comments]

Bachelor answered 17/4, 2010 at 1:44 Comment(3)
Glad to hear someone else decided to go this route. Do you mean encrypting the password for storage in the DB or something else? Any recomendation for the best way to encrypt the cookie?Girasol
To create authentication token: Add an expiration date, Triple DES encrypt then Base64 encode using URL safe characters. Using URL safe Base64 encoding means you can also use them on query strings. I've been meaning to write a blog entry on my LINQ-to-EF based authentication scheme for some time ... maybe I'll make the effort now.Bachelor
Don't store your passwords or store your encrypted passwords - store an encrypted/salted hash of your passwords.Johannajohannah
V
6

Unless you are the only person who will ever work on this particular site, I think the fact that it is familiar to .NET developers is a good reason to go the built-in Membership route. Other developers with ASP.NET experience can jump into the project and get up to speed on your site's authentication/authorization model very quickly.

We use the built-in Membership and Role provider model on our site and it works very well...we had to write our own Provider classes, since we use a different backing store for the data (we use Microsoft Dynamics CRM), but these classes are pretty simple and well-documented. By doing this bit of work up front, we can now use the Membership and Roles classes in code as well as the various login-related server controls on our pages.

Is there another alternative that you are considering?

Victoria answered 13/1, 2009 at 20:15 Comment(4)
Hmm so how does the User, IPrinciple and MembershipUser all relate?Shed
User (I assume you mean the Page.User property) works just as before: it returns an IPrincipal; specifically, an instance of RolePrincipal. Because we wanted to track additional information about each user, we derived from MembershipUser as well. We can call (OurMembershipUser) Membership.GetUser().Victoria
So Membership is not the same as MembershipProvider ?Shed
Not exactly; Membership is a static class that exposes a number of membership-related methods (e.g. CreateUser(), DeleteUser()) which in turn call the current membership provider class defined in the web.config file. More details: msdn.microsoft.com/en-us/library/2d449f1x.aspxVictoria
D
3

The only thing I really hate about the MembershipProvider that comes with .Net is the fact that the userid is a GUID instead of an auto incrementing identity. I know there are bonuses to using a GUID but integrating it into pre-existing systems or modules can be a pain.

Doy answered 13/1, 2009 at 22:10 Comment(2)
I think that's a major reason for using guids. At some point, while integrating two systems, you may have duplicate user ids if they are auto-incrementing ints, but (in theory) you'll never have duplicate guids.Ruskin
This is a reason in itself to NEVER use that provider. Trash.Zareba
S
1

It is there simply so that you do not have to roll your own.

Saddlebag answered 13/1, 2009 at 20:14 Comment(0)
A
0

It's value is that it is an easy to use ready built role based security framework. If you have already built your own framework and migration is not trivial then it may not be worth it. But one benefit of migrating would be you could eliminate a lot of application code and replace with framework code.

Abyss answered 13/1, 2009 at 20:15 Comment(0)
E
0

If you ever want to migrate your site to any kind of already made portal software - like Community Server or DotNetNuke using the membership provider allows for easy migration. You can even use the existing database and not have to implement new ones.

Eschar answered 13/1, 2009 at 22:4 Comment(0)
B
0

I think a compelling feature of ASP.NET Membership, Role and Profile is that it uses the provider model. If you aren't happy with it the way it is, it is not difficult to roll your own from the base classes. If you look at codeplex.com you can find probably a dozen or more custom providers that people have written. I wrote one for the SQLite database a few years ago.

Brumfield answered 4/2, 2012 at 20:48 Comment(0)
K
0

The Membership route works well BUT there is one fatal flaw and I do not blame Microsoft for it.

Internet Explorer is the only browser that properly disposes of the authentication cache.

You can close a Firefox browser, open it and then restore that last session and go right back into your "secure" website without logging in. Chrome has similar issues and anything Mac does the same.

IE has a javascript call that handles this correctly: document.execCommand("ClearAuthenticationCache", "false");

It does not work with any other browser. If you use this you need to force users to use IE.

Koerlin answered 11/2, 2015 at 15:12 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.