tags:

views:

267

answers:

1
+1  Q: 

Implementing a Custom Membership Provider with slightly bizarre requirements

Building a new Mobile Web Platform for Mobile Users to purchase & download content on their handsets. In the past we've used a completely bespoke login mechanism but I'm investigating using a Custom Membership Provider for the next version of the Platform.

The thing is, we have some slightly odd "login" mechanism requirements, so I'm not 100% sure that a MembershipProvider is the best fit.

Just looking for some general feed back on the requirements below with a "Yes, Membership Provider is a good fit" or "No, you're banging a square peg in a round hole"

Requirements

  1. User may be required to login with a "Mobile Number" (username) & "Pin" (password) This fits pretty well, as they've already signed up and confirmed with an SMS and it satisfies the ValidateUser(string username, string password) Method Implementation

  2. User may be required to login with only a "Mobile Number". In this case, we don't bother doing the identity verification on our side. It reduces the number of steps for the user and verification is done by the particular operator when we attempt to bill them. (The operators can validate that the mobile number entered, matches with the handset when it hits the operator payment site)... so even though users have a password, we'd need to bluff the membership provider in someway, and let them in with a blank password.

  3. User doesn't need to login at all. In this case, we can transparently bounce the user to a special network operator webpage, and we'll get the Mobile Number in Headers when they're transparently bounced back to us. In this case, we'd need to programmatically take that number from the headers, perform the login on their behalf in the code behind (again without any pin/password) and the user would be magically auto logged in.

Requirement 2 & 3 are bit odd. We essentially have 3 different login mechanisms that the one membership provider would need to satisfy.

  • User Entered Mobile & User Entered Pin
  • User Entered Mobile Only (code behind I suppose to satisfy the pin requirement)
  • Completely Transparent Login (code behind to do the entire login process)

Anyone got any comments/feed back on the above or have any advice on any bizarre membership provider implementation you've done in the past.

+1  A: 

I think it could work. We do #3 on one of our sites. Here is a chunk of code that we use to take care of it. To use this, create a login page (transparentlogin.aspx or something similar), make sure that the web.config file allows anonymous access to this page, and put code like this in the page_load function for the transparentlogin.aspx page:

const string specialpassword = "ThisIsOurSpecialPasswordForBehindTheScenesLogin";

if (MobileNumberFoundInHeader())
{
  string username = GetMobileNumberFromHeaders();
  // Authenticate the user behind the scenes
  System.Web.Security.FormsAuthentication.SetAuthCookie(username, false);
  System.Web.Security.FormsAuthentication.Authenticate(username, specialpassword);
}
else
{
  throw new Exception ("Mobile Number Missing");
}

Then, in the ValidateUser function in the MembershipProvider, make sure you do a check like this:

public override bool ValidateUser(string username, string password)
{
 const string specialpassword = "ThisIsOurSpecialPasswordForBehindTheScenesLogin";

 bool ValidationSuccess = false;

 // If the password being passed in is the right secret key (same  
 // for all users), then we will say that the password matches the
 // username, thus allowing the user to login 
 if (password == specialpassword)
 {
   ValidationSuccess = true;
 }

 if (DoStandardUsernamePasswordVerification() == true)
 {
   ValidationSuccess = true;
 }

 return ValidationSuccess;
}

As for requirement #2, I'm a little confused. What exactly is an operator? I thought we were dealing with a mobile phone using a web browser to browse to a website. Where does the operator fit into that? If the solution I propose above doesn't help, please post a response with more details about the Operator.

Tim

Tim Larson  2009-07-06 19:40:03
Eoin Campbell  2009-07-07 10:07:54

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps