I'm creating a website in ASP.net and using a MySQL database. What would you guys suggest I do?
Build my own login system with SQL Injection check
Built in login control using a compliant membership provider
What are possible pro/cons of both?
Thank you very much!
I would use my own:
Create an User class with a database table for it (better use an ORM like EntityFramework to do all the dirty work)
Make a UserService class for registration, authentication, password hashing and other logic.
I've used the built-in asp.net user/roles management for one project. There is nothing wrong with it. But if you need more control over code and flexibility - consider writing your own, it will be easy.
Related
I'm building a new Asp.Net MVC3 solution and would like to have all the tables in the same database (including membership, users and roles tables). So I don't want to have a separate aspnetdb.mdf file. I think I only have to adjust membership section in Web.config (connectionstring) in order to point to my unique database. Right? Please correct me if I'm wrong. So until now, no need to customize the membership provider.
Second question: can I name my table for managing users (membership) the way I want without customizing the membership provider or do I have to customize it? I think I have to customize the membership provider if I change the user table name. Correct?
Thanks.
You certainly doesn't have to implement your own provider (I mean you can if you want but I cannot see a reason).
I would create a blank database and then fill it in with the Membership database schema via aspnet_regsql.exe tool. Here is a great blog post on that:
Installing ASP.NET Membership services database in SQL Server Express 2008
Then, build your own tables, UDF, SP on that same database. You will end up with one databse at the end.
Point your membership provider to that database and you are good to go.
Description
It looks like you have to implement your own MembershipProvider and MembershipUser. That sounds harder than it is. You can implement your own logic, own data access and more. This i also i good thing to learn how ASP.NET handles authorization.
More Information
Implementing a Membership Provider
How to: Sample Membership Provider Implementation
I have configured ASP user database. I can create users/roles either programmatically or by going to Project -> ASP.Net configuration in Visual Studio IDE.
Server this database is running on doesn't have VS installed. Is there a way to add users/roles through command line or IIS settings?
Thank you
If you set the connection string properly you can use VisualStudio running locally to configure your remote asp.net membership database.
I do that all the time.
Make sure your connections strings are right on your Web.Config file.
This is the easiest unless you want to code it yourself.
*Edit *
Just to be clear, you are not required to have Visual Studio installed on the server which hosts the membership database.
However this only works if you are not storing any additional data per user which is not part of asp.net's MembershipUser class.
In most cases you would implement a register page where you would collect the additional info. On submit you create a new MembershipUser (using MembershipProvider API) and then persist the additional information as best suits your needs. I typically use the MembershipProvider and have an store my custom info in an AppUsers table, (with the asp.net userId as a FK).
Hope this helps ;-)
Using MembershipProvider and RoleProvider is very, very easy. Ask if you need some sample snippets.
You can create a simple site or an admin only page on your current site and use the CreateUserWizard control. A Guide to customizing this control can be found here: https://web.archive.org/web/20211020103243/https://www.4guysfromrolla.com/articles/070506-1.aspx
Documentation here: http://msdn.microsoft.com/en-us/library/system.web.ui.webcontrols.createuserwizard.aspx
You can also use the membership objects to do this through code if you want to create your own console application to do it from the command line.
Do not try and do this in the database directly.
you can just add them manually to the database tables, there not that hard to deduce, just apply insert commands using your favorite sql client
Hai,
i am trying to store the user permissions for my web site.But I am little bit confused with xml and Database. For each user in site have different permissions. Have u ever faced this issue? for Example , if my site is a shopping site , for a local user , the report menu need not to display. A sales man need not to display the purchase page. and so on ..
I think you understood my problem .I have done this user management using a xml file . For each user a new node will create according to the menu and keep in the xml file . Next time the user login ,checks the permissions and and show only the allowed menus.
My boss tell me to do the same thing using the Database. by using XmlDataSource it is quite simple to bind data to the treeview (for setting permission) and binding to the menustrip also.
He is pointing the security problem . i don't think like so.
Which is better ? DB or XML
http://msdn.microsoft.com/en-us/library/yh26yfzy.aspx
My advice would be to use asp.net membership and roles (written by Microsoft). It is a very good security solution - login security, roles (permissions) and is stored in a SQLServer database (not sure if it can be stored elsewhere).
I use it on my site and you can use membership controls straight out of the box (login forms, change password, etc.) or you can roll your own.
The only tricky bit I found was setting up the membership tables, views and stored procs in my dB (you download a dB script), but really it was fairly straightforward to implement.
Here's a link to asp.net membership and roles
ASP .NET Membership and Roles (part of the Provider Model introduced on ASP .NET 2) is (IMHO) nice only when you need some basic stuff. The issue is that you need to use the whole system using SQL Server, but if you are planning to move to a different DB provider (MySQL, SQLite, etc..) then you'd have to implement your own provider (which is at best painful), and learn how the whole pieces fit each other. Granted, finding a custom implementation it's quite easy, but is not a copy & paste thing.
Another bad thing of the default provider model is that you will get a ton of SQL stored procedures, also called maintainance nightmares. The issue is that if your site scales, then these SP's will make your life a living hell (been there) and if you even dare to change hostings then you're in for a treat, so my advice would be make your own permissions hierarchy and use it the way you wish. Also, look for advices and some pre-existing solutions to the permissions problem which is quite common.
Website security can be split up into to distinct parts.
Authentication: Logging in
Authroization: Roles/Permissions.
The ASP.NET Forms Authentication Provider is a great way to implement authentication. I recently created a custom provider that communicates with our companies X500 directory (LDAP). It was very straight forward.
For Authorization, we implemented the entlib security application block. It allows you to keep Roles/Permissions in a separate location that can be accessed by your UI as well as your service layers (assuming your developing a scale-able solution). You may also want to look at the Windows Itentity Foundation which is slated to supersede entlib security application block, however it is only available for .NET 4.0.
I am using asp.net 2.0. I have been using asp.net membership provider for user management. But I think this would be more efficient if I could do this without using role and membership provider provided in asp.net. In fact I see bulky markups generated when I add login control,
createuser control etc. in an asp.net web page.
By saying user management, I am referring to the overall login, user activity tracking, password reset/retrieval, role management in an asp.net web application. And I want to implement efficient way to accomplish this.
Any suggestion would be appreciated.
What exactly bothers you? Server-side code, or the HTML which gets served to the client?
If former, then you can implement your own providers or just reinvent the whole system from scratch (which I do not recommend, but it might be worth it in some scenarios).
If latter, just write your own set of controls that use Membership API.
As far as "efficiency" is concerned, you're not clear in what "efficient" means to you.
Most (all?) of the membership controls support templates, which means you can customize the markup they generate to the client.
See this tutorial to get you started: A Crash Course on ASP.NET Control Development: Template Properties
As for the database hits, I don't think it's a huge problem, but if you're concerned I'd suggest load testing it to make sure. Also, if you set CacheRolesInCookie to true, you can eliminate some of those database calls.
In my current project, we need to authenticate users of an ASP.NET application against Active Directory. I think it can be achieved using the membership provider without too much problems. but we need also to manage user roles that will be kept in the ASP roles management tool.
Did anyone implement this configuration? Does it look feasible?
Any tip for one or the other point?
Thanks.
David
Yes! The ASP.NET role provider is designed to work exactly in that case - the particulars of the authentication provider are irrelevant to the role provider, and it will store the bare essential information to make the two work together - basically the user's AD identity (domain\user) is tracked in the role database and matched up when necessary.
There is an ActiveDirectoryMembershipProvider that can be used to use Active Directory for authenticating users.
Alternatively, you could roll your own MembershipProvider by extending the abstract MembershipProvider class and then use System.DirectoryServices to check against Active Directory when validating a user (ValidateUser method of MembershipProvider). This is pretty straightforward to do and you need only implement the methods that you actually need in the custom provider.
You might consider implementing your own RoleProvider too, depending on whether the default fits your needs.
Use it all the time, intranet only of course.
You may be interested in the WindowsTokenCachingRoleProvider. In scenarios where performance is essential, this really shines:
http://lvildosola.blogspot.com/2007/02/improve-performance-when-using.html
Simple and elegant.
Please take a look at this question, seems like you're asking for pretty much the same thing, and my answer there should give you what you need.
ASP.NET Membership and Role providers that can be used from ASP.NET and WinForms/WPF clients as needed.