15

I want to use authentication on my site in order to login to the Admin section. I already have my database schema, I don't want to use the ASP.NET membership tables for SQL Server. I have three tables: Employees, Roles, and EmployeesInRoles.

I'd really like to keep this as simple as possible, but I'm having trouble finding a solution. I just want to use forms authentication with my tables so employees can log in, log out, change their password, etc.

If anyone could direct me to a blog post or tutorial about this, that would be great.

Improve this question
3
  • Not sure how secure your data needs to be, or the risk factor, but assuming that it's worth protecting or you wouldn't be bothering... Be sure you follow the OWASP guidelines. Most developers should not be rolling their own security when an existing API that was developed and tested by experts is readily available, but if you insist, at least follow the guidelines. owasp.org/index.php/Authentication_Cheat_Sheet Commented Jan 3, 2011 at 18:01
  • 7
    @David: I have to disagree- the source of the built-in implementation is available for derivation. It can be onerous to have to use the built-in tables when you already have User tables built into your data model. Microsoft based the Membership provider on interfaces specifically so it can be extended. Commented Jan 3, 2011 at 18:04
  • I'm going to amend my previous comment- password storage is not a simple thing and can easily be done wrong. So, extend away, but make sure you understand how to encrypt sensitive data at rest in a database. Commented Apr 10, 2012 at 14:39

2 Answers 2

Reset to default
24

Steven, check out my series of tutorials on website security: http://www.asp.net/web-forms/overview/older-versions-security/introduction/security-basics-and-asp-net-support-cs

(EDIT: I've updated the above URL as the original URL was returning a 404. But please bear in mind that this material was written in 2008 and is hopelessly dated now.)

The first three tutorials focus exclusively on forms-based authentication without discussing Membership. These first three tutorials - especially tutorials #2 and #3 - should get you moving in the right direction.

To implement roles without using the built-in ASP.NET Roles framework, check out this article: Role-Based Authorization With Forms Authentication.

All that being said, I would suggest that you reconsider using ASP.NET's baked in Membership and Roles libraries. Avoiding them means you're going to have to reinvent the wheel, and you'll probably do it wrong. (For instance, are you securely storing user passwords in your custom implementation?)

Happy Programming!

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

+1 - rolling your own is usually a bad idea, and I am in total agreement with you on this!
That works, up until you have to work with a non-SQL Server datastore.
@EdDeGagne, you can create a custom membership provider to deal with an alternate data store. In fact, someone may have already done so. For instance, here is a custom membership provider for MySQL - codeproject.com/Articles/12301/…
Already doing that Scott, I have a custom membership provider working on a UniData DB (multi-value database). It was a challenge and still not 100%.
@ScottMitchell that first link throws a 404.
|
4

The built-in Membership provider is based on interfaces that can have their implementation replaced by your own, which (among other things) can use your own tables for authentication.

Here is a video on creating a custom ASP.NET Membership provider: http://www.asp.net/general/videos/how-do-i-create-a-custom-membership-provider

Here's a good general article with pointers to other resources:
http://weblogs.asp.net/scottgu/archive/2006/02/24/ASP.NET-2.0-Membership_2C00_-Roles_2C00_-Forms-Authentication_2C00_-and-Security-Resources-.aspx

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.