tags:

views:

53

answers:

1
+1  Q: 

ASP.NET Membership: to be or not to be?

I'm contemplating how I should implement authorization and authentication with ASP.NET and MVC2. Lets refer to this as a user system.

I have seen three types of solutions in the wild:

I've been reading your knowing thoughts and many say that trying to roll your own "user system" might be even dangerous, if you are not careful with the security details. On the other hand, the solution is a whole lot simpler. Everything is probably stored in one database and user specific stuff is in one users table. The overhead for this solution seems to be quite low.

Using the ASP.NET membership solution allows to use a lot of out-of-the-box functionality, but IMHO, is really confusing. You probably need to store the membership stuff in its own database and somehow be able to link the user entity from your site specific database to the ASP.NET one.

If you are using the ASP.NET membership

  • How does your database schema look like? How do you create foreign relationships to the ASP.NET membership users (ie. Songs <=> FavoriteSongs (<=> SiteUsers) <=> aspnet_Users)?
  • Why didn't you roll your own?

If you have rolled your own

  • What kind of user system abstraction layer, if any, did you use?
  • Why didn't you use ASP.NET membership?

I'm really paralyzed by analyzing these possibilities. Please kick me in the right direction from this sticky web of membership paralysis! Thank you.

+1  A: 

the built in membership provider is already secure and is really REALLY easy to use. You can be up and running with built in membership in a couple of hours. Alternatively (depending on what type of application you're building) you could also check out using OpenID which is what StackOverflow uses.

Also, with the built in Membership Provider, creating relationships is as easy as using a "uniqueidentifier" to relate the aspnet_User table (I can't remember the exact name off the top of my head) with the related table.

I store all of my membership "stuff" in the same database as the system db, and it has never steered me wrong. Creating the membership "stuff" is easy as well. Just run the aspnet_regsql.exe against the database that you want to have asp.net membership

Here's another SO question along the same lines.

rockinthesixstring  2010-06-20 22:57:34

related questions

How do I write Firefox add-on that automatically enters proxy passwords?
Login Integration in PHP
Strange Rails Authentication Issue
Concurrent logins in a web farm
Is there a browser equivalent to IE's ClearAuthenticationCache?
How can I authenticate using client credentials in WCF just once?
Why can't I connect to my CAS server with Perl's AuthCAS?
Best Solution For Authentication in Ruby on Rails
Authenticate on an ASP.Net Forms Authorization website from a console app
How do I use NTLM authentication with Active Directory
What have you used Windows CardSpace for, if anything
Forms Authentication across Applications
Retreiving the PC Name of a Client? (Windows Auth)
How would you implement FORM based authentication without a backing database?
What's the best way to authenticate over WCF?
Only accepting certain ajax requests from authenticated users
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
What to use for login ID?
ASP.NET authentication: user name Vs User ID
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Checklist for IIS 6/ASP.NET Windows Authentication?
The Definitive Guide To Website Authentication