1

Just wondering what the best practice for handling login/user authentication in mvc3 would be. Better to use the built-in membership such as:

    [HttpPost]
    public ActionResult Register(RegisterUser model)
    {
        if (ModelState.IsValid)
        {
            // Attempt to register the user
            MembershipCreateStatus createStatus;
            Membership.CreateUser(model.UserName, model.Password, model.Email, null, null, true, null, out createStatus);

            if (createStatus == MembershipCreateStatus.Success)
            {
                FormsAuthentication.SetAuthCookie(model.UserName, false /* createPersistentCookie */);
                return RedirectToAction("Index","User");
            }
            else
            {
                ModelState.AddModelError("", ErrorCodeToString(createStatus));
            }
        }

        return View(model);
    }

or something more simple and custom such as making your own cookie to avoid having to use the pre-packaged database structure each time?

FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
    1,
    user.UserName,
    DateTime.Now,
    DateTime.Now.AddMinutes(10),
    false,
    null);

string encryptedTicket = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);

this.Response.Cookies.Add(cookie);
Improve this question

3 Answers 3

Reset to default
3

Personally I agree with the approach taken by Stack Overflow in providing two ways to register directly via Stack Exchange and OpenId / OAuth access; Google, Yahoo, Facebook, Twitter, etc.

When providing your own registration I would stick with either the ASP.NET Membership provider or a similar one made available via NuGet.

When using OpenId and OAuth I've had great success with DotNetOpenAuth. Refer to Andrew Arnott's detailed answer the benefits and justification for using OpenId: To OpenID or not to OpenID? Is it worth it?

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

The ASP.NET Membership exists for a reason.

If it was as simple as setting a cookie, LinkedIn hackers wouldn't have my password.


Do not write your own Membership provider unless you REALLY know what you're doing.

Improve this answer

Comments

1

I would suggest that your best option is to provider a custom provider, so that you don't have to use the 'pre-packaged' database. This way you can re-use the built-in authentication and authorization stuff, while still having a customised user database.

It is not that difficult, simply create a class deriving from MembershipProvider (and RoleProvider if you want to included roles). These are abstract classes, so you need to provide implementations of the various methods. To save having to provide implementations for all the methods, you can have methods you aren't going to use throw NotImplementedException.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.