tags:

views:

242

answers:

7
+5  Q: 

Is *not* using the asp.net membership provider a bad idea?

Is it generally a really bad idea to not use the built-in asp.net membership provider?

I've always rolled my own for my asp.net apps (public facing), and really have not had any problems in doing so. It works, and seems to avoid a layer of complexity. My needs are pretty basic: once setup, the user must use email address and password to login, if they forget it, it will be emailed back to them (a new one). After setup there is little that needs to be done to each user account, but I do need to store several extra fields with each user (full name, telephone and a few other fields etc). The number of users that required login credentials are small (usually just the administrator and a few backups), and everyone else uses the site unauthenticated.

What are the big advantages that I might be missing out on by skipping the asp.net membership provider functionality?

+4  A: 

If you've got a solution that works well, stick with it. "If something works, don't fix it" and all that. Otherwise, consider that the Membership API has thousands of times the number of programmer-hours, QA-hours and user-hours behind it than anything you could come up with on your own.

Bob Kaufman  2010-06-03 19:24:05
Exactly. A lot of people have trouble realizing that their homegrown solution is a buggy mess. It's like admitting that your child is ugly.
Mike Mooney  2010-06-03 19:30:16
Your child might be ugly, but mine is beautiful. :p
Greg  2010-06-03 19:42:59
+10  A: 

The advantages of the provider model are outlined here, but in brief:

  1. Certain out-of-the-box webcontrols are built to use the membership provider model, such as the Login control/view and the Create User Wizard. So you miss out on a 1-step configuration for having a logged-in dashboard for all your pages without writing any code.

  2. Providers can be swapped with a simple change in the web.config file. Not saying you can't write your own login stuff to do the same, but you can easily write a custom provider at some point down the road and switch it into your application without changing a thing in the application.

  3. All the basics are provided. The default membership providers have password retrieval, account locking, multiple password encryption methods, valid password restriction rule configuration and user management, all out of the box. Just using that alone is a huge reduction in setup time for most people starting an ASP.Net application from scratch.

  4. A large component of your application is already vetted. You don't need to worry about debugging all your own authentication code! This means that when there are bugs, you often get fixes before site breaks, and you have the ability to pass the blame if not.

womp  2010-06-03 19:24:26
Most of these answers aren't reasons for not using your own membership provider. When properly implemented, you still get those things :)
Thorarin  2010-06-03 19:41:33
That argument could be applied to just about anything. He did specifically ask for advantages.
womp  2010-06-03 19:56:49
++ what he said. Unless you have a really compelling reason for wasting your time now and in the future, leveraging existing framework code is typically the best route.
Sky Sanders  2010-06-07 06:31:48
+1  A: 

How do you save the users' passwords? If you're saving in plain text, that's a major risk. One advantage of the ASP.NET Membership system is that it encrypts passwords by hashing, out of the box.

Dani  2010-06-03 19:24:39
+7  A: 

Rolling your own authentication system is never a good idea. There are so many ways to get it wrong that still seem to work in testing, until a year later when you find out your site was cracked six months ago.

Always lean as much as possible on the security code provided for you by your platform, be it asp.net or anything else. Do this, and the system is supported by a vendor with many more deployments so that bugs can be found and fixed more easily, and even if you do have a problem you can place the blame on the vendor when your boss comes asking about it. Not to mention that once you get past the first time using your vendor's solution, additional deployments will be faster. This is just the right way to do it.

The ASP.Net Membership provider is far from perfect, but I promise you that it's preferable to building it from scratch.

Joel Coehoorn  2010-06-03 19:28:44
Although I mostly agree, the basic ASP.NET membership provider contains a whole lot of stuff one not necessarily would need. If I want a clean system, I'd probably roll my own, with just those few methods i need and not use the standard one. Thoughts on this?
Arve Systad  2010-06-03 19:45:36
Generally with the provider model, you implement only the methods and properties you want to use. The classes are abstract so when you implement you must 'define' (override) the inherited abstract members, but common practice is to add a simple throw `NotImplementedException` in those members you don't want to use. By all means don't actually implement the code for every single method if you aren't going to use it.
KP  2010-06-03 19:51:14
Of course, but why not just make a custom class with only the needed methods if you implement all required stuff yourself anyways? Does the base class give you something you cannot easily get by doing it all yourself?
Arve Systad  2010-06-03 19:55:18
@Arve - yes, it does. Just because it's an abstract class, it doesn't means there's no code in there anywhere. It just means is has some abstract methods that you must implement. There are other methods that are not abstract, and other places in the framework that know how to hook into the stock class in the correct way. **Rolling your own system is a bad idea.**
Joel Coehoorn  2010-06-03 19:59:46
@Arve The point and advantage of the providers was well documented by `womp` in the answer above. There will be more code no doubt because of the unused members, however it's really a minor point in comparison to advantages gained. Having the least amount of code is not always the best solution. **Go your own way** doesn't trump built-in, pluggable functionality for the sake of a bit of code saved.
KP  2010-06-03 20:00:43
Asking => Learning. Thanks for the follow ups, Joel and KP!
Arve Systad  2010-06-03 20:02:12
++ yup. it's not perfect but it's peccadillo are a known quantity with a massive amount of collective experience available to deal with effectively.
Sky Sanders  2010-06-07 06:33:44
+1  A: 

You might get some insight from these other popular questions:

Which authentication and authorization schemes are you using - and why?

Microsoft Membership Provider Vs Custom Provider Vs Complete Custom Login System

Anyone uses ASP .NET Membership?

Alternatives to .Net Membership

DOK  2010-06-03 19:32:23
+1  A: 

In your case, authenticated users are the exception, not the norm, so it probably doesn't hurt to roll your own.

One thing .net provides is a brute force attack prevention, in case someone tries to brute force the admin password, the admin account will be locked out.

Greg  2010-06-03 19:34:24
+2  A: 

There is more to membership then just membership (login, email, password, and functionality around it). Aspnet separates membership from profile, and they can be integrated. Profile is everything you call 'extra fields'. You can have an anonimous profile with some customization, even if you don't have a membership. For example, a user could setup preferences, return to site, and still have them, but still don't register. Then when you register, anonimous profile can be migrated and associated with your new membership.

That is what you basically miss when you skip it.

Also, if you choose to use build in or third party controls which make use of membership and profiles, you miss it too.

You could implement a provider, instead of dropping the provider model all at once.

George Polevoy  2010-06-03 19:35:07

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps