The membership class is an extremely powerful and useful tool that can be used to secure a web application. A lot of developers prefer to implement their own system and this used to be my preferred method. However, after a recent revisit I highly recommend you take another look at the ASP.NET Membership system; it can save you a great deal of time.
The ASP.NET Membership Class is almost a framework in its own right and it comes with the following advantages:
- You can use the tool aspnet_regsql.exe to set up all the tables, views and stored procedures in your application database.
- You can set it up to use Active Directory as the user store for use in a Intranet environment.
- You can use the membership controls to simply add a great deal of functionality, such as:
- Log in forms
- Sign out controls
- Sign up forms
- Change password
- Lost password
- You can extend the system to add additional functionality specific to your requirements.
- It’s pretty secure, users passwords can be encrypted in case your database is compromised.
- You can implement the roles class to allow users to have different levels of access to your web application.
There are many more advantages and it to get started there is an excellent tutorial written by Scott Mitchell on the 4guysfromrolla website.
A Multipart Series on ASP.NET’s Membership, Roles, and Profile This article is one in a series of articles on ASP.NET’s membership, roles, and profile functionality.
- Part 1 – learn about how the membership features make providing user accounts on your website a breeze. This article covers the basics of membership, including why it is needed, along with a look at the SqlMembershipProvider and the security Web controls.
- Part 2 – master how to create roles and assign users to roles. This article shows how to setup roles, using role-based authorization, and displaying output on a page depending upon the visitor’s roles.
- Part 3 – see how to add the membership-related schemas to an existing database using the ASP.NET SQL Server Registration Tool (aspnet_regsql.exe).
- Part 4 – improve the login experience by showing more informative messages for users who log on with invalid credentials; also, see how to keep a log of invalid login attempts.
- Part 5 – learn how to customize the Login control. Adjust its appearance using properties and templates; customize the authentication logic to include a CAPTCHA.
- Part 6 – capture additional user-specific information using the Profile system. Learn about the built-in SqlProfileProvider.
- Part 7 – the Membership, Roles, and Profile systems are all build using the provider model, which allows for their implementations to be highly customized. Learn how to create a custom Profile provider that persists user-specific settings to XML files.
- Part 8 – learn how to use the Microsoft Access-based providers for the Membership, Roles, and Profile systems. With these providers, you can use an Access database instead of SQL Server.
- Part 9 – when working with Membership, you have the option of using .NET’s APIs or working directly with the specified provider. This article examines the pros and cons of both approaches and examines the SqlMembershipProvider in more detail.
- Part 10 – the Membership system includes features that automatically tally the number of users logged onto the site. This article examines and enhances these features.
- Part 11 – many websites require new users to verify their email address before their account is activated. Learn how to implement such behavior using the CreateUserWizard control.
- Part 12 – learn how to apply user- and role-based authorization rules to methods and classes.
- Part 13 – see how to create a login screen that allows Admin users to log in as another user in the user database.
- Part 14 – learn how to create a page that permits users to update their security question and answer.
- Part 15 – the Membership API does not provide a means to change a user’s username. But such functionality is possible by going directly to the user store, as this article illustrates.
- Part 16 – the Membership system includes the necessary components for enforcing expiring passwords. This installment shows how to implement such a policy.
- Part 17 – see how to display important, unread announcements to users when they sign into the website.
- Part 18 – often, applications need to track additional user information; learn how to capture this information in a database and see how to build pages to let users update their own information and to display this information to others.