I'm updating my website at the moment and figure that if I am to update my login/security mode, now is a good time.
I have looked through the Membership model which is included in ASP.NET but I'm convinced that it will provide any benefit apart from being familiar to other .NET deevlopers.
There seems to be quite a lot of documentation for it, but little discussion for why its worth the effort.
Can anybody shed some light upon this?
This link will give you a lot of matter trying to convince you the advantages of the ASP.net membership provider. All I would like to say is that it fits well with most of .net solutions be it web, windows client etc. Also you may tweak a few things and roll your own provider. If the pants dont fit to your style, get one tailored !
It's value is that it is an easy to use ready built role based security framework. If you have already built your own framework and migration is not trivial then it may not be worth it. But one benefit of migrating would be you could eliminate a lot of application code and replace with framework code.
Unless you are the only person who will ever work on this particular site, I think the fact that it is familiar to .NET developers is a good reason to go the built-in Membership route. Other developers with ASP.NET experience can jump into the project and get up to speed on your site's authentication/authorization model very quickly.
We use the built-in Membership and Role provider model on our site and it works very well...we had to write our own Provider classes, since we use a different backing store for the data (we use Microsoft Dynamics CRM), but these classes are pretty simple and well-documented. By doing this bit of work up front, we can now use the Membership and Roles classes in code as well as the various login-related server controls on our pages.
Is there another alternative that you are considering?
If you ever want to migrate your site to any kind of already made portal software - like Community Server or DotNetNuke using the membership provider allows for easy migration. You can even use the existing database and not have to implement new ones.
The only think I really hate about the MembershipProvider that comes with .Net is the fact that the userid is a GUID instead of an auto incrementing identity. I know there are bonuses to using a GUID but integrating it pre-existing systems or modules can be a pain.
I see little benefit to using membership for a large site. This has been marketed as 'the' solution for ASP.Net authentication. However, really it looks like Microsoft is just trying to position the old Membership Server product as soemthing that everyone all of a sudden needs.
I worked on Membership Server at Msft around 10 years ago. Was also a lead developer on shop.microsoft.com, and I can tell you we used no internal server products on that site--not commerce server, not membership server. Not sure how they are doing it now--but I think the general consensus at that point was that those type of packages generally got in the way of what we were trying to do.
It could be useful for a smaller site, or if you have limited resources... i.e. a few hundred users for a departmental or small company intranet, where you don't want to invest much time or resources. The more I look at it, the more it seems completely inappropriate for larger, custom web sites.
What I really don't understand is how almost every ASP.Net book seems to push this as the only way to do it, rather than one way to do it.
I wrote my own after reading through all the stored procedures in the ASP.NET Membership provider. It's not hard and you have much more control at the end of the day.
If you like XML configuration, weakly-typed strings for roles, insecure by default, random web.config files littered through your directories instead of a clean marker interface on your page classes to say 'no account required', multiple database hits for a single login, user objects that aren't loaded from your current ObjectContext/DataContext and the ability to change providers on the fly (woo hoo, who uses that?!) go for the built-in one.
If not, build your own, but if you do, make sure you add salt and encrypt your passwords, and do a proper encrypted cookie please.