I'm creating an ASP.NET MVC site and I need to implement login and membership functionality.
Is this something where I roll my own? I already have a members table in my database, should I create a username and password hash field and just check against it? What about keeping the user logged in with a cookie that expires?
Is this an instance when you would use ASP.NET's built in Membership service?
ASP.NET MVC neophyte seeks help.
When you create a new ASP.NET MVC site, it already has membership built in. The CodePlex project mentioned in the other reply is only needed in special cases, namely:
You are using an early beta of the MVC framework, which doesn't have the membership feature.
You want to use an authentication system like OpenID, which isn't supported "out-of-the-box" with MVC.
You want membership administration features not included "out-of-the-box"
However, like I said, basic membership functionality is already present in an MVC site. Just add the [Authorize] attribute to any action requiring login. This is regular forms authentication, so you configured in Web.config like a non-MVC site (specifying the database, etc.; there's lots of information on the web about this).
A default MVC site will contain an "Account" controller and views which you can customize to fit your needs.
To answer the obvious question, no, you should not "roll your own." Even if you need custom authentication, it would be better to create a regular ASP.NET membership provider than to create an entirely new membership framework.
Update: The CodePlex project was updated to work with MVC 1.0
If you want to use something safe to start off with, either use the new project's template membership or consider using http://www.codeplex.com/MvcMembership.
Related
I have a an ASP.NET MVC5 project using Entity Framework. I have all the regular membership entities (AspNetUser, AspNetRole, ...). In the RoR or Django world we can add admin views extremely easily and I wonder if the ASP.NET MVC eco-system has anything similar to offer.
I'm thinking about admin views for tasks as listing users, editing user's roles, changing user fields, etc. within the standard membership realm.
I know I could scaffold views (with more plumbing code than what I'd use with Django), but I'm pretty sure I wouldn't be the first one who'd create views for managing users for standard ASP.NET MVC membership setup. I made more than enough Google searches, but I only find articles about the membership provider system.
Ideally I'm looking for a NuGet package.
I'm afraid currently we don't have one but you can use https://code.msdn.microsoft.com/ASPNET-MVC-5-Security-And-44cbdb97 project to work as your administration.
ASP.NET newbie here, I'm looking for a way to integrate my existing database into ASP.NET's authentication system. I have a separate project making use of Entity Framework to interact with a database (Model-First Entity Framework 5) that I would like my ASP.NET MVC 4 site to use to authenticate off.
To further complicate matters, this is not a simple username/hash/salt table. I employ Blind Hashing and two factor authentication using the Google Authenticator (OATH-TOTP) is an option users can have. Additionally, I don't just have users, I have Accounts and Profiles, of which an Account can have many profiles (distinct, separate 'users' in a public sense that the owner can easily switch between). Lastly, Account can also have several emails, not just one. In other words, this doesn't fit in to normal user/password conventions when dealing with authentication. Fortunately, I've written partial classes to give most of these entities (such as Account) ways to handle this easily, such as:
someAccount.CheckPassword(password[, twoFactorToken])
I can do this easily enough using Entity Framework 5, but I'm very unfamiliar with how ASP.NET MVC 4 handles users. Is there an easy way to get user authentication going in ASP.NET MVC 4? Do I need to do something with MembershipProvider? Do I use SimpleMembership or the legacy one? Bonus: Can I take advantage of Windows Identity Framework and use that instead?
I've opted instead not to use the Membership Provider, and just use Forms Authentication. I did not realize you could use this without using a membership provider.
I'm pretty new to MVC and looking for an MVC3/Razor web project template that uses a custom membership provider (or custom authentication whatsoever).
I want the project to contain a SQL database, that has a simple User/Role/UserRole scheme, and the user table contains a UserId, Username and Password fields (preferable encrypted), and some login functionality that works thru it.
Any direct link or guidance on how to do it the short way will be highly appreciated.
When I had to do this I started with Asp.Net MVC Membership Starter Kit. Good luck!
I am planning a new portal solution in ASP.NET MVC. I need to be able to have some parts of the site visible for everyone (public part) and a part where only registered users are allowed to visit. In traditional Web Forms the security was made on folder level, but how about ASP.NET MVC? Could someone please explain me how to do this - or if its more beneficial to go the web forms way.
/H4mm3rHEad
Security is mostly done on the Controller or Action level via attributes. More information on the Authorize attribute can be found here:
http://msdn.microsoft.com/en-us/library/system.web.mvc.authorizeattribute%28VS.100%29.aspx#using_authorizeattribute
You can easily see how it works by going File-> New MVC project and checking out the AccountController.cs file inside the /Controllers/ directory.
Be aware the answers by Vitaly and Agent_9191 are not current and reference mostly preview MVC builds. Those articles may reference code and or functionality that does not exist or has been depreciated.
Take a look at this post talking about the AuthorizeAttribute. It can be applied to specific actions or an entire controller.
How would you handle membership in an ASP.NET MVC application? Using any external libraries? How would you do OpenID log in? username log in? email log in? any other that is worth looking into? Maybe all of them mixed into the application?
It seems ASP.NET comes with some pre-build user database (I'm totally new to .Net). The NerdDinner example uses it but then it makes the foreign keys use the username. That doesn't sound very good. Do you use this schema of two separate databases or only one? What do you use as the foreign key, any IDs?
I've found ASP.Net MVC Membership, anybody using it? does it work well? can it be expected to be maintained?
Membership Providers are not new to ASP.Net MVC, they were introduced with ASP.Net 2.0.
The Membership Provider model is simply an abstraction layer between your application and whatever source you are authenticating your users against. You can switch providers easily by simply changing your web.config file.
It is easy to write a membership provider, there are many walkthroughs on the web. Typically you would do so if you were using a database that used a different schema than the default examples that come with ASP.Net (which is most of the time). The foreign keys on the username thing in the NerdDinner example is a simplistic example that you would rarely see on any real-world databases.
I would highly recommend using the Membership model. Controls like the Login control are built to make use of it, and it is well-designed and makes it easy to change or combine different login methods for your application. If you want to use OpenID, a quick google search brought up this OpenID Membership Provider.