tags:

views:

229

answers:

3
+3  Q: 

Thinking about scrapping my idea of writing a custom membership and roles provider. Opinions?

I've got a web app I'm building in ASP.NET that has the following security requirements:

  1. Must be able to integrate with a master authentication scheme that passes back a unique key to the application to indicate a user has logged in via a third-party site.
  2. Must be able to use existing user/roles tables.
  3. May use forms authentication and allow users to log in via a separate login page if they aren't members of the third-party site.

I've tried customizing the SQL Role and Membership Providers, but I run into issues, particularly that there is a strongly-typed MembershipUser object that has a uniqueIdentifier (providerKey) and doesn't have room for my own custom set of keys (there will be two) that identify users.

Should I scrap my custom membership provider implementation and just go with cookies/session instead? I'd really like to use the built-in functionality but it doesn't seem doable.

+1  A: 

What you might want to do is to build your item 1 over the top of the existing functionality, try that first. With the information returned, automatically log the user in. If the first process fails, do the standard authentication using the built in code.

I have built this type of system on top of the ASP.NET membership provider many times for clients using DotNetNuke, it works very well.

Mitchel Sellers  2009-04-20 18:52:28
How do you handle custom fields that you want persisted in the login/forms cookie? Like ID's that you need to pull other data from the system? In other words, how do you "add on" to what the ASP Membership Provider gives you?
Caveatrob  2009-04-20 18:55:55
We use the profile properties functionality that exists in the membership provider to store the extra data.
Mitchel Sellers  2009-04-20 19:35:53
So you'd use the profile to store extra fields? Can the profile be loaded from an existing table in the database?
Caveatrob  2009-04-20 19:39:28
In our case, we sync profile items on login, using the providers methods.
Mitchel Sellers  2009-04-20 20:47:52
A: 

Go for it, here's the source to the built in ASP.NET 2.0 Membership provider from Scott Guthrie's blog.

CLaRGe  2009-04-20 18:54:38
A: 

I succesfully ditched the membership provider and do not user it at all. I created a new IMembershipService interface and an implementation for that which handles the creation and verification of my web application's users.

I've created my own User model. This allows me to have a flexible role model inside my application. I am free to create contextual domain roles and decouple them from the actual user model.

It's really not that hard. Remember to salt your passwords etc. and read some security books.

You can still use FormsAuthentication with this approach.

Most systems that rely on the asp.net membership provider are really schizophrenic in a way. You will have 2 Users table, for instance in CommunityServer you have aspnet_users and cs_Users where cs_Users references the MembershipId of aspnet_users and where it introduces yet another UserId. It also mirrors the username etc.

kitsune  2009-05-08 09:05:11

related questions

Store user id in Principal or Identity? ASP.Net/OpenID.
Converting Single DB ASP.NET Site into MultiTenant - Membership and Roles Dilema
customize asp.net membership by changing "userid" type to integer
ASP Membership cannot handle encrypted connection strings in web.config
what is the best way to make some pages in asp.net require login?
Looking for a Yahoo Groups (CMS) replacement
Why should I Use ASP.NET Membership security model?
ASP.NET: Does implementing a custom MembershipProvider class needs you to implement a custom Membership class too?
How to set the Principal in an ASP.Net app
How can you test if an ASP.NET membership password will meet configured complexity requirements?
ExpressionEngine Multiple Site Manager and Member Groups
Locking out a user in an ASP .Net Custom Membership Provider
ASP.NET Application to authenticate to Active Directory or SQL via Windows Authentication or Forms Authentication
Not using e-mail address in a custom MembershipProvider?
How to get current user in Asp.Net MVC
programmatic login with .net membership provider
ASP.NET Forms Authentication With Only UserName
Unit test Custom membership provider with NUnit throws null reference error
How to access UserId in ASP.NET Membership without using Membership.GetUser() ?
How can I wire users with their respective folders in ASP.NET?
Grabbing Users with a specific value in their profile
How do you pass an authenticaticated session between app domains
What's the best way to authenticate over WCF?
Memcached chunk limit
ASP.NET Site Maps