How does an ASP.NET programmer go from working on/developing existing sites, to creating one from scratch?

Question

I've been an ASP.NET developer for some time, always working on existing ASP.NET pages, modifying functionality, adding features, tweaking things etc. but have never built a site up from scratch. I've read books on ASP.NET, and they generally talk you through the various features of ASP.NET with a mock up site, but it's always very basic and they jump straight in.

The time has come however, to write a site from scratch for a client. I've never done this before. There are design considerations, but like a lot of ASP.NET sites, the basic idea is, you have a site, where users can log in, and save some information like their name and password and address. The site has some functionality, but that's the basic design of a majority of (business-related) asp.net websites I would wager.

I know how to program in ASP.NET already on an existing site, but I don't know how to design my own properly that meets the criteria above.

I guess the main worry is security. I don't know the best way to handle a simple log-in system that stores user information like their name and password. I understand there are a few approaches to this, but the catch with this project is that it has to be absolutely bulletproof. Maximum security. All those good practices for security, it needs to have them all.

I'm not asking what they are, but I am asking where to begin. What should be the first steps after I do File > New Project ? Where can I look for information about setting up a secure ASP.NET website? I'll figure out the content and page layout later, it's the framework that is the big thing.

Any and all advice would be welcome. I really want to get my first from-scratch project right from the beginning.

Edit: Based on answers, lets assume I am using MVC as they are apparently quite different. impact.

Answer 1

ASP.NET MVC has a built in login system using Forms Authentication. Just use it, don't write your own.

Grab some sample apps like NerdDiner, and emulate their structure.

Answer 2

I'm not familiar with MVC, but I've used ASP.Net for a number of different sites using Forms authentication style security. Although really, I think you want to sit down and figure out the overall plan of your site. What are the major actions/section/etc. Then flush each of those out. Determine where your security bounds are, what requires an account, what is open to everyone. Determine how you will store secure information, hash passwords, SSL, etc.

People write whole books about this topic, so it's hard to address it all here. But the more you plan and think it out, the less you'll have to worry about later when you realize you forgot something and have to add it to everything you've already coded. Most developers hate to sit down and start with paperwork (ok, at least I do), but it's always useful to me in the end.

Answer 3

I recently began writing my own MVC application from scratch to explore using a lot of different technologies I was interested in together.

I wanted to implement inversion of control, entity framework with the repository pattern, validation (possibly using data annotations), MVC, Test Driven Development, etc.

I found the Golf Tracker articles and videos at http://mvccentral.com/ to be very helpful. I didn't do everything the way he shows in these videos. Some parts I substituted for something else. But overall, it was enjoyable and easy to follow.

I also agree with Andrew that you shouldn't write your own Forms Auth stuff in MVC. Just use what is already there.

Answer 4

You mentioned security as being a big concern. If you are usng VS2010, you can easily spin up a web project that has all the login security already built into it. It is called Role Management and it is part of the framework. If you search on RoleManager or RoleProvider, you can read all about it and how to implement it. I would certainly leverage this built in code rather than try to write your own.

Once you spin uop this project, you will need to enable the RoleManager in the web.config and point it to where the login information will be stored (ie: SQL).

After that, you are ready to design the site and build out the css. The project also includes a menu so you can use that if you like. The it is a matter of just doing what you are used to and hooking up the CRUD and Views. MVC works great with linq2sql so I would go down that road but you can use any interface you want to get data to and from the dastabase.

Answer 5

There is no one "best" way to do security. It all depends on your requirements. If you really truly want maximum security, don't deploy your application on the internet. Or a network. And have biometric sensors protecting the room your app is running in. And laser beams. Lots of laser beams. :) But I'd wager that really wouldn't meet your requirements.

Forms Authentication has many good qualities. But in certain scenarios, maybe Windows Authentication is a better choice--like if all the users of your app are inside one network.

Is there a requirement that users be able to retrieve a forgotten password? Reset a password? Are there business procedures that need to be followed for that to happen? These are questions that might impact what you choose for authentication and authorization. And beyond that, as Robert Harvey mentioned, security is not just about logging in--there are script injection, SQL injection etc.

You say you aren't asking what all those "good practices" for security are, so I'd say the place to begin is with that list of good practices you have. If they aren't expressed as requirements, translate them into requirements. Then look at each of them individually, and look at what features ASP.NET has to accomplish them. In this way, you're looking at specific topics, rather than an overwhelming "how do I do security" question. Divide and conquer.