User authentication database in App_Data folder - isn't that dangerous?

Question

We're planning to use standard ASP.NET user authentication for our application. However, by default this requires us to have our user database on our web server in the App_Data folder.

This is usually a big no-no for us - our databases are all behind the firewall and all access is done via a WCF Service layer.

If the database was on a different server, but directly accessible from the web server then this still vioates our usual architecture rules.

Should we worry about our user database living on our web server? Does ASP.NET offer an out-of-the-box alternative?

NOTE: We're using .NET 3.5 and SQL Server 2005

Answer 1

You can install the neccessary db tables etc. in any SQL Server database.

Use the aspnet_regsql.exe Wizard found in C:\WINDOWS\Microsoft.NET\Framework....... to set up the target database.

Then simply update the connection strings in the provider configurations in the web.config.

Answer 2

Yes and Yes.

1. If you ever need to move to multiple web servers you shouldn't have the user data on one of those servers.

2. There are multiple was to do this, but check out this link for details on one MSDN How To: Use Forms Authentication with SQL Server in ASP.NET 2.0

Answer 3

Yes, you should worry. No, there is no out-of-the-box solution. ASP.NET only ships with a SQL Membership Provider and an Active Directory membership provider (reference). You will have to use a custom membership provider to provide your functionality.

Answer 4

you can create your own Custom membership provider by overriding the methods and properties of the following abstract class: public abstract class MembershipProvider. Once you override them, then you can use any valid datasource to authenticate the user. For example, you can use MYSQL, SQL server or even XML file to authticate your users. These provider models are really really cool.