In the past I've used the default SQL Membership provider to secure a website. This worked well but required the creation of the ASP_Authentication database (using the reg_sql tool) and dozens of tables / stored procs etc.
I now have a simple website on a £10 per month host. I get a SQL Server instance as part of the deal but don't have the ability to connect to it through SQL Management Studio. I can't run the reg_sql tool or even take a script from a previously generated database and run that.
Actually, the ASP_Authentication database is overkill for what I need. I just was a simple username / login store that I can authenticate against. I have no need for group / roles etc.
Does anyone know of a good blog article or similar that describes how to do this?
Many thanks
Rob.
I would advise you to stick with the sql membership if you just want a simple login mechanism. You dont have to use the roles or any additional features such as secret question/answer.
Via The Commandline
You can use the aspnet_regsql tool locally to just generate sql scripts. You must have access to some kind of tool for managing the database so perhaps this will be enough for you?
I have written an article on using this tool via the commandline. I also address the issue of only adding the tables you actually want to use (no need for the personalization, web parts, etc tables).
The article is on my blog here:
http://www.google.co.uk/search?q=asp.net+custom+membership+provider
It doesn't cover how you can dump the sql scripts out to a file but it does give you a hint (it says you can use -? to view all commandline arguments). Open up a command window (start | run | cmd | enter) and type:
asp.net v2:
cd C:\Windows\Microsoft.NET\Framework\v2.0.50727\
aspnet_regsql.exe -sqlexportonly C:\aspnetmembership.sql -A mrp
asp.net v4:
cd C:\Windows\Microsoft.NET\Framework\v4.0.30319\
aspnet_regsql.exe -sqlexportonly C:\aspnetmembership.sql -A mrp
If the v4 doesn't work then look in the next one up and use the latest v4 folder in there.
You will then find a file called aspnetmembership.sql in the root of your C: drive which you can use with whatever database management they provide.
Via Code
There is another option to getting the tables set up which is generally less well known by the community; you can actually do it through a method in the System.Web.Management namespace. I learned this technique in a post by Peter Bromberg and keep it tucked away. Its a simple one liner:
Management.SqlServices.Install("server", "USERNAME", "PASSWORD", "databasename", SqlFeatures.All)
You can read the rest of his advice here.
Custom Membership Provider
To actually answer your question though, there are tons of articles on the web which explain how to create custom membership providers:
http://www.google.co.uk/search?q=asp.net+custom+membership+provider
If you do decided to "roll your own" then please stick to the plan and use the membership provider framework rather than writing your own from the ground up.
Not sure if you're using ASP.NET WebForms or MVC, but I created a NuGet package to enable SimpleMembership in ASP.NET MVC3: http://nuget.org/List/Packages/SimpleMembership.Mvc3
This is the SimpleMembership API from ASP.NET WebPages/WebMatrix. Very easy and full-featured.
It should work with ASP.NET WebForms as well.
you should look at this post which shows the features of simplemembership which is what is suited for your use
http://weblogs.asp.net/jgalloway/archive/2012/08/29/simplemembership-membership-providers-universal-providers-and-the-new-asp-net-4-5-web-forms-and-asp-net-mvc-4-templates.aspx
Related
Is there a utility that will manually enter a new user in the ASP.NET membership and roles SQL tables? I'm looking for something that has a UI for making the necessary changes/insertions into the SQL tables.
I would like to find a packaged way to managing users/roles as simply as possible, without necessarily adding all this functionality to my app. My gut tells me there's some utility to manually do this from a command line or some other utility.
I found a reference to the old, deprecated one (which I was sure existed), and I a link to a new one.
The old one was called "ASP.NET Website Administration Tool," and was removed in 2014.
An alternate is called Thinktecture.IdentityManager, and is on GitHub here:
https://github.com/IdentityManager/IdentityManager
Found via Scott Hanselman's post here:
http://www.hanselman.com/blog/ThinktectureIdentityManagerAsAReplacementForTheASPNETWebSiteAdministrationTool.aspx
I have a usermanagement table into my sql server 2008 i want to check each user with their particular role frm my database & not from asp.net predefined database. please help me with the code for the same. also what i need to change into my web config file.
You probably want to implement (roll your own) version of the membership provider to make this job easier, more secure and less error prone - it will also save you writing tons of additional plumbing code.
In essence it means implementing the IIdentity and IPrincipal interfaces (Sounds scary but its really not that bad). See this blog here http://www.bradygaster.com/custom-authentication-with-mvc-3.0 for a step by step guide. Additionally it is worth reading the comments and links to enable proper Forms Authentication via Auth Cookie rather than the basic session management referenced directly in the post!.
Also note this example on the blog is for MVC 3 BUT its equally applicable to Web Forms projects too.
I have configured ASP user database. I can create users/roles either programmatically or by going to Project -> ASP.Net configuration in Visual Studio IDE.
Server this database is running on doesn't have VS installed. Is there a way to add users/roles through command line or IIS settings?
Thank you
If you set the connection string properly you can use VisualStudio running locally to configure your remote asp.net membership database.
I do that all the time.
Make sure your connections strings are right on your Web.Config file.
This is the easiest unless you want to code it yourself.
*Edit *
Just to be clear, you are not required to have Visual Studio installed on the server which hosts the membership database.
However this only works if you are not storing any additional data per user which is not part of asp.net's MembershipUser class.
In most cases you would implement a register page where you would collect the additional info. On submit you create a new MembershipUser (using MembershipProvider API) and then persist the additional information as best suits your needs. I typically use the MembershipProvider and have an store my custom info in an AppUsers table, (with the asp.net userId as a FK).
Hope this helps ;-)
Using MembershipProvider and RoleProvider is very, very easy. Ask if you need some sample snippets.
You can create a simple site or an admin only page on your current site and use the CreateUserWizard control. A Guide to customizing this control can be found here: https://web.archive.org/web/20211020103243/https://www.4guysfromrolla.com/articles/070506-1.aspx
Documentation here: http://msdn.microsoft.com/en-us/library/system.web.ui.webcontrols.createuserwizard.aspx
You can also use the membership objects to do this through code if you want to create your own console application to do it from the command line.
Do not try and do this in the database directly.
you can just add them manually to the database tables, there not that hard to deduce, just apply insert commands using your favorite sql client
Hai,
i am trying to store the user permissions for my web site.But I am little bit confused with xml and Database. For each user in site have different permissions. Have u ever faced this issue? for Example , if my site is a shopping site , for a local user , the report menu need not to display. A sales man need not to display the purchase page. and so on ..
I think you understood my problem .I have done this user management using a xml file . For each user a new node will create according to the menu and keep in the xml file . Next time the user login ,checks the permissions and and show only the allowed menus.
My boss tell me to do the same thing using the Database. by using XmlDataSource it is quite simple to bind data to the treeview (for setting permission) and binding to the menustrip also.
He is pointing the security problem . i don't think like so.
Which is better ? DB or XML
http://msdn.microsoft.com/en-us/library/yh26yfzy.aspx
My advice would be to use asp.net membership and roles (written by Microsoft). It is a very good security solution - login security, roles (permissions) and is stored in a SQLServer database (not sure if it can be stored elsewhere).
I use it on my site and you can use membership controls straight out of the box (login forms, change password, etc.) or you can roll your own.
The only tricky bit I found was setting up the membership tables, views and stored procs in my dB (you download a dB script), but really it was fairly straightforward to implement.
Here's a link to asp.net membership and roles
ASP .NET Membership and Roles (part of the Provider Model introduced on ASP .NET 2) is (IMHO) nice only when you need some basic stuff. The issue is that you need to use the whole system using SQL Server, but if you are planning to move to a different DB provider (MySQL, SQLite, etc..) then you'd have to implement your own provider (which is at best painful), and learn how the whole pieces fit each other. Granted, finding a custom implementation it's quite easy, but is not a copy & paste thing.
Another bad thing of the default provider model is that you will get a ton of SQL stored procedures, also called maintainance nightmares. The issue is that if your site scales, then these SP's will make your life a living hell (been there) and if you even dare to change hostings then you're in for a treat, so my advice would be make your own permissions hierarchy and use it the way you wish. Also, look for advices and some pre-existing solutions to the permissions problem which is quite common.
Website security can be split up into to distinct parts.
Authentication: Logging in
Authroization: Roles/Permissions.
The ASP.NET Forms Authentication Provider is a great way to implement authentication. I recently created a custom provider that communicates with our companies X500 directory (LDAP). It was very straight forward.
For Authorization, we implemented the entlib security application block. It allows you to keep Roles/Permissions in a separate location that can be accessed by your UI as well as your service layers (assuming your developing a scale-able solution). You may also want to look at the Windows Itentity Foundation which is slated to supersede entlib security application block, however it is only available for .NET 4.0.
I'm a newbie at this, so please be nice to me =^)
I'm creating a website with ASP.net and I have a sign up page. The user has to enter a name and password in textboxex, and choose a location and reason for joining from dropdown lists. (There is a built in wizard for new user sign-up but I chose not to use it).
I would like to save the information entered in a table in a database in the App_Data folder. How do I do this?
You will also need to learn ADO.NET which is the database access technology of choice for .Net.
Here's a basic tutorial to get you started...
Also Googling for asp.net ado.net tutorial will bring up good hits.
If you're creating a public-facing website, you need to put some serious thought into how you process, store, and retrieve user information. ASP.NET provides a lot of good functionality for this type of thing using the Membership class. You'll find this class in the System.Web.Security namespace.
You can also use the aspnet_regsql.exe application to generate the tables and stored procedures necessary to store this information correctly (i.e. storing hashed values for passwords and secret questions/answers, etc.)
As mentioned previously, many good tutorials (both written and video) can be found on these topics on the ASP.NET site as well as on MSDN.
As the godfather of ASP.NET, Scott Guthrie, might say: "Hope this helps."
You need to:
1) Have a schema representing the database and create it on the machine
2) Have an ability to execute queries against the data
3) Write a query to insert the user data into the database.
I'm sure google has a ton of ASP tutorials.