Security

Re: ASP.NET 2.0 Built-In Membership

mwheeler — Thu, 09 Jul 2009 23:41:58 GMT

Thanks for all your feedback and the wealth of information. We have decided to go middle ground and have succeeded in getting our log-ins to work.

Regards,

Re: ASP.NET 2.0 Built-In Membership

integrasol — Sat, 04 Jul 2009 05:04:59 GMT

Based on your description and assuming you want as much out-of-box as possible, I'd go with ASP.NET Membership and Profile properties, and the ASP.NET Login controls. As I see it, it will help you with all of your requests.

ASP.NET Profile Properties Overview: http://msdn.microsoft.com/en-us/library/2y3fs9xs.aspx

Login Controls Overview: http://msdn.microsoft.com/en-us/library/ms178329.aspx

Managing Users by Using Membership: http://msdn.microsoft.com/en-us/library/tw292whz.aspx

Based on your description of custom user information, I don't think there's a need for a separate database; custom profile properties ought to do it for you. You can place your admin pages in a separate folder and have these folders secured with a location element in the web.config, and have the menu security trimmed using the Menu control and a SiteMapProvider control, based on a web.sitemap XML file using the roles attribute. As I said there's a lot out-of-box using these features, but obviously it will take some time to put together. The only thing that I think you will have to do manually is the creation of a new user; it is certainly supported by the Membership class, but you need to supply the username. However, creating an algorithm for creating a new user, shouldn't be that big a deal.

There you have it, me 0.02$

Good luck.

Re: ASP.NET 2.0 Built-In Membership

asifchouhan — Sat, 04 Jul 2009 04:51:13 GMT

Go through this links

Introduction to Membership Provider : http://msdn.microsoft.com/en-us/library/yh26yfzy.aspx

How To: Use Membership in ASP.NET 2.0 : http://msdn.microsoft.com/en-us/library/ms998347.aspx

Regards

Asif

Re: ASP.NET 2.0 Built-In Membership

RickNZ — Sat, 04 Jul 2009 04:45:26 GMT

If you expect your site to be relatively low-traffic, then the built-in membership system would be fine. It's not suitable for large-scale or performance-sensitive sites, but works great for small sites, and can help you get up-and-running quickly.

BTW, you said you don't need roles, but that a site manager would be able to view certain pages -- that sounds like an application for roles to me....

Another thing to consider is that there is a middle ground between a full-custom solution and using the entire built-in mechanism: you can build a custom MembershipProvider. You do that by providing methods for things like creating a user, logging in, etc. That way, you can have your own schema while still leveraging the rest of the infrastructure.

ASP.NET 2.0 Built-In Membership

mwheeler — Fri, 03 Jul 2009 17:38:04 GMT

We are in the process of building a new web site for a virtual airline based on Microsoft Flight Simulator and are not sure how we should setup our logins. Should we use the built-in ASP.NET Membership or just use a custom login and database table?

Here are some of the reasons why we are not sure which way we should go:

The web site is hosted with a web hosting company (they do support ASP applications) but we do not have access to the IIS console;
We previously had a web site written in Classic ASP and the login table was a simple table in an SQL database that had the user name (Pilot ID) and password. There wasn't and there still is no need to use roles, etc.
The user names (Pilot ID) need to be auto-generated. (i.e. CXA100, CXA101, CXA102, etc.);
A list of all users (Pilot IDs) in a dropdownlist is to be part of the login control, where a pilot would select his Pilot ID from the dropdown list and then enter his password;
We are using a MasterPage which will contain the login box, so that users can login from any page on the web site;
A logged in user should not be redirected to any other page;
In general, visitors to our web site will be able to view most of the content on the web site without logging in;
However, based on our previous classic ASP web site, an authenticated user who is a site manager, would be able to view certain pages (in order to approve new user registrations, etc.) based on their authenticated user name. (i.e. CXA001 can view the management pages, etc.);
Our database keeps track of how many hours each user has flown and we work on a reward system, where as you increase your hours flown, it unlocks the Download button on the aircraft pages, so you can download and install larger aircraft to fly on-line. (If you do not have enough hours or you are not logged in, the download button is hidden);
Our web site is being written with Visual Studio 2005 and our database is a SQL 2008 Server database.

Based on the above criteria, how would you recommend that we proceed?

Your feedback and guidance on how to proceed is greatly appreciated.