tags:

views:

60

answers:

1
+2  Q: 

ASP.Net membership and Roles Managment

looking for some feedback on the built in membership and roles management for ASP.Net 2.0.

Do many people use it? What is good and/or bad about it? Can I assign multiple roles to a single user? What is the alternative norm for .Net apps?

I personally like the idea of having defined permissions or actions to a role. Seems like if I could only assign a single role to a user and I wanted roles to inherit permissions from each other it would be a huge headache to manage using teh built in membership manager.

If I had the following roles..

Publisher Editor Member

and I wanted the Editor to have some the permissions that the Publisher and the Member had plus some of it's own, in my code It would be harder to determine if the current user can edit something rather than just have a list of permissions pulled in by a role and just checking to see if "Edit Article" is in the list.

+1  A: 

The built-in membership provider is very easy to use, and it's fairly secure. I've used several versions of it in different projects. The great thing about it is that if it doesn't do EXACTLY what you need it to do, you can always just extend it. The built-in Identity object has roles, they're easy to access, store, compare against.

If you're using .Net and you need a fast, prepackaged, reasonably secure authentication source, you can't really go wrong with the built-in membership provider. If you need more security, just take what they give you and make it a little more hard-core. It's even fairly easy to integrate the existing membership authentication with an LDAP store if you have one.

Joel Etherton  2010-02-03 02:55:47
what do you mean by fairly secure? in what ways could it be considered insecure or lacking?
qntmfred  2010-08-12 14:23:17
@qntmfred - the biggest insecurity is that the password hash and salt are presented in plaintext. This would allow an attacker who gains access to the membership database to copy and extract these values to a local source and begin a dictionary attack against the hash itself until it a match was found. I'm not saying it's not secure, but it depends on what you're protecting. I wouldn't use it to secure a banking application, but for a CMS as the OP describes it's more than suitable.
Joel Etherton  2010-08-12 14:51:44

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps