Are there any alternatives\mods to .net Membership?
I find it quite restrictive;
Cant change Username, easily. You have to create a new user and copy the fields, but then you lose the primary key OR you have to edit the user table directly yourself.
Additional profile fields are stored together as one blob.
ASP.Net membership uses a provider model. That means you are completely free to implement your own membership provider, or even inherit from and extend an existing provider, as long as you follow the provider contract.
Plus one for asking about existing alternatives rather than trying to build something new yourself, though.
I'll go ahead and list my alternative here. I've rolled my own authentication library, and I think it's awesome enough to be publicly released... So I did. It's designed to stay out of your way and overall, it's pretty minimalistic. I don't provide a lot of out of the box user controls, but on most websites I've seen those built-in user controls are never used. So instead of trying to make yet more flexible user controls, I decided instead to make it brain-dead simple to create your own login controls and such.
The project is called Fast, Secure, and Concise Authentication, or FSCAuth for short. It is BSD licensed. You can download it over at Binpress or at Bitbucket
It's flexible "UserStore" model(the Form's equivalent of provider) enables you to form your database anyway you want. It can support plain text files, XML, MongoDB, Sql Server, and anywhere in-between.
Here's a list of things where I think it particularly excels over Forms Authentication:
Stateless Authentication System. There is no requirement to keep track of user sessions in either the database or memory. This makes it trivial to scale up to multiple servers requiring few(if any) changes to your authentication code
Use anything as a Unique ID for each user. That's right, no more GUIDs! Anything that will fit in a string is fair game
HTTP Basic Authentication baked in. You can enable Basic Authentication just on pages you want(or globally) and you can make the same calls as if they were using the typical cookie-based authentication
Hard to make insecure. Because of how it works and I leave as little core-code as possible to the end user for actually doing authentication, it's extremely secure and will stay that way unless you just really try to break it. I handle cookies, HTTP Basic Auth, and all hashing. You just give FSCAuth a database to put it in.
BCrypt support for hashes is trivial. How to do it.. In Forms Authentication it is almost not possible
I like it :)
Of course it's also lacking, and to be fair I'll include a few things that are lacking
Authenticating static files in IIS 6 isn't possible(yet)
There is no brute-force prevention(yet). This means that you'll need to make sure the same person isn't trying to hit your login page 200 times in 2 seconds.
It's not built into ASP.Net
No Windows or Passport authentication (with no plans to ever add)
As the ASP.NET membership model is built around Providers, there are a number of alternatives available.
By default, users have a ProviderUserKey, which is a GUID, and that's the Primary key of the database, so you should be able to write something to change their username if you want.
In terms of the profile, yes, the default blob is fairly annoying. You could take a look at the SQL Table Profile Provider which maps profiles on to tables, or fairly quickly roll your own.
As for the Profile there are a couple of alternatives out there. These two use either a table or let you call a stored procedure. Of course you can also implement your own. I personally got tired of using the Profile Providers, and found that dealing with the profile in my code was easier to control and contain.
As for the other issues, you can also implement your own provider. Microsoft released the source code to the SQL Providers so it can give you a starting point.
As far as changing the username goes, that can easily be accomplished by using the CreateNewUser() method and filling in the appropriate fields based on the current User, and then deleting the current user.
Profile fields are not part of the .NET Membership Provider model, but part of the Profile Provider. This is a highly debated topic and for most production machines, the correct way to go is to drop-in a better profile provider solution, such as this Table Profile Provider, which stores profile fields as you'd expect rather than as a memory-hogging blob. Alternatively, you can easily roll your own profile provider, check out the instructions here.
There are certainly .NET Membership alternatives, but most are buggy or have a small featureset. It really sucks to develop on top of one for two months and then realize it won't support all the functionality you need. .NET Membership is a proven solution and that's why it is used so often.
Related
I am struggling with a basic problem. Keep my ASP.NET Core Identity context separate from my business context or combine the two.
Philosophically, it seems good to keep them separate. If I want to upgrade .NET Core at some point in the future, I have fewer issues if my identity context is separate.
Practically, it seems like a good idea to combine them. Otherwise, I am creating another user table or doing some weird workarounds to get user information from navigation properties.
How do you handle Identity contexts in .NET Core?
In my experience, its a good idea to keep identity context, separate from your business logic.
You will probably have to do some expensive encryption and other things on your identity database. There may be no need to apply such encryption to your business data
You might choose to replace, have separate backup plans and recovery plans for your identity database. non-identity database may have its own plan.
More importantly, one fine day, you might decide and go with a 3rd party auth provider and forget about managing identity yourself. At which point, you may do some migration, throw away the identity database as it is no longer needed.
So, yes, best to use different context/database.
note : I am assuming, each context is linked to a different database. This is a given, but, for the sake of clarity, putting it here.
What are the pros and cons of Azure Active Directory to manage the accounts of a simple website (at most 10 accounts, just for login to control panel), instead of SQL membership provider or the new bogus identity system in my own database. I never tried this service before but I like the fact that I don't need to take care of the database and credentials of my users, it's free and very secure I guess. Someone has tested it in production? any security advise? thanks.
Among the many upsides there's that it is free, highly available, enterprise-grade and basically management-free - all flows for entering and changing passwords and similar are already implemented for you. Also, it can be used for both web sites and web API - so that if tomorrow you want to add a mobile app for the same user population, we've got you covered.
About having tested it in production... yes, there are many many (MANY) apps using AAD in production today.
I guess that one possible downside for such a small use case is that all the defaults are set to a higher security level than you'd probably use in your scenario, translating in a bit more involvement from your users: passwords templates requiring special characters, mandatory password expiration, and so on. Of course to me it's a good thing, but I am biased :-)
Another current limitation is that the user names must be of the form alias#yourADdomain, as of today you cannot use an arbitrary string. That's usually not a big deal, but calling it out in case you have preexisting user names you need to stick to.
HTH
V.
Is there any reason why I shouldn't add contact and extended data to the users database with a custom membership provider?
What is the advantage of keeping separate one-to-one tables for user data and membership data? As I understand it, the common method is to keep separate tables. I'm thinking it would be better to have one table for users to keep SQL statements simple and custom code the membership provider.
The idea behind Membership is that it provides a plug-and-play generic membership solution. Say you want to switch from Sql to ActiveDirctory, you need only change the membership provider and everything works.
So long as you are creating a custom provider, you can do whatever you want. But, in order to get your extra data into the membership tables, you will have do so outside of the membership interface (because the API does not include fields for them). That means, you are essentially throwing away the Membership API.
My advice is to either a) use Membership as it was intended, or b) go off and do your own thing completely. Don't try to shoehorn Membership into something it's not intended for.
But, writing your own is a lot more involved than you might at first think, at least if you want to e be secure and cover all your bases.
The advantage is separation of concerns. By keeping them in separate tables, you're in a situation where the membership data store could be swapped out or modified in isolation. However, before getting too excited about the "flexibility" consider the realistic lifespan of your application. Weigh the likelihood of needing to change things in the future vs the upfront cost of implementing a custom provider.
When I've implemented custom membership providers, more often then not I've found myself at one point actually wishing I had just rolled a completely custom authentication mechanism. Once you've implemented the provider interface, you don't necessarily gain a whole lot by "plugging into" the rest of the provider infrastructure. For simple apps, I'd usually just recommend doing the simplest, easiest thing that works. If you haven't build many authentication systems, you might find the process of implementing a custom provider educational.
Using a trigger-based approach to audit logging, I am recording the history of changes made to tables in the database. The approach I'm using (with a static sql server login) to record which user made the change involves running a stored procedure at the outset of each database connection. The triggers use this username when recording the audit rows. (The triggers are provided by the product OmniAudit.)
However, the ASP.NET Membership tables are accessed primarily through the Membership API. I need to pass in the current user's identity when the Membership API opens its database connection. I tried subclassing MembershipProvider but I cannot access the underlying database connection.
It seems like this would be a common problem. Does anyone know of any hooks we can access when the ASP.NET Membership makes its database connection?
Update 2:
Not looking good on the AOP front, I am afraid - see Is is possible to intercept a static method on an object you don't own and did not create?
And as alluded to in comments, it looks like the best bet is to use the Provider Toolkit's implementation of the providers and wire your hook into SqlConnectionHelper.GetConnection()
I use the toolkit code, which I have cleaned up considerably, reliably for years with no problems. Let me confirm on 4.0 and package it up if you are interested.
Update:
Ok, I think I better understand your need, tell me if I am correct:
You need the actual connection that is being used by the provider?
SqlMembershipProvider utilizes a helper class, System.Web.DataAccess.SqlConnectionHolder, for all of it's data access.
I have not done this, but from what I have gathered, you could intercept calls to build this object using an AOP implementation such as Castle DynamicProxy (or one of the libraries that leverage it) and get your connection there.
Could some one with more experience confirm or deny this?
Original answer:
No need to derive from SqlMembershipProvider. Just go in and get what you need.
string connectionString =
typeof(SqlMembershipProvider)
.GetField("_sqlConnectionString",BindingFlags.NonPublic | BindingFlags.Instance)
.GetValue(Membership.Provider);
Our requirement is something like this.
We are building a multi-tenant website in ASP.NET MVC, and each customer should be able to create their own users as per predefined user roles.
We are thinking about to create a schema for few tables which would be common for customers. So customer can login to system according to their schema logins and we need not to alter any queries to serve all of them.
We are referring http://msdn.microsoft.com/en-us/library/aa479086.aspx Shared Database, Separate Schemas.
Can someone suggest on following
1. After creating schema how to authorize user against a particular schema
2. Is this possible that without any changes in queries db can serve multi-tenants
Thanks in advance
Anil
After much research, I can say that, although it takes more development up front and more checks along the way, shared database and shared schema is the way to go. It puts a little bit of limits on how easily you can cater to a client's specific needs, but from my point of view SAAS isn't about catering to a single client's weird needs. It's about catering to the majority of clients. Not that it's a SAAS but take iPhone as an example. It was built to cater to the masses. Rather than focusing on doing everything it's built to be one-size fits all just by its simplicity. This doesn't help your case when it comes to authoriztion but it'll save you dev hours in the long run.
If you are asking this in the context of SQL Server authentication/authorization mechanism, i can asnwer this question with saying that every user has a default schema which helps query engine to find out required object in the database.
SQL Query Engine will look at the user's default schema first to find the required object (table). If it founds the object in user's schema then use it, otherwise goes to system default schema (dbo) to find it.
Check this article's How to Refer to Objects section to find out how it works. The article also has some information about security concepts related to schemas.