ASP.NET MVC FormAuhtorication: Create your own or use Out of The Box

Question

Hey

Im looking to have a login system on my asp.net mvc website and at first i thought i would just go with the FormAuhtorication and use the Out of The Box Account Controller that is created with every mvc project. Then search around at google and found that many people make their own Controller to control the Auhtorication.

I like to create my own database table for the user information, so i modified the AccountController a bit. But is it really the best way to go, by creating your own Controller to handle FormAuhtorication?

/thanks in advance

EDIT: Also should i just stick with the autogenerated database that is generated for auhtorcation or can i make my own? I really prefer the later.

Answer 1

Don't reinvent the wheel. Doing authentication right is much more subtle than most people realize. For example, the cache attribute has special code to deal with authentication and ensure that cached data doesn't get served to un-authenticated users (recall: when cached data is served, your action never runs, and hence "controller-based authentication" won't work).

If you must use entirely custom authentication, implement an ASP.NET membership provider. But only do this if there is no off-the-shelf option which works. It's harder than you think.

Answer 2

I try to use OpenID whenever I can. I like the fact that I don't have to worry about storing passwords. Plus it saves users a lot of time at sign up. There is a nice framework for OpenID and .net here.