I need to implement a user authentication system that supports anonymous users, like how this site works. Can it be done with the default asp.net membership provider? if not, what are some of the things I need to do?
Yes, it can be done. There's even a special event to migrate anonymous user details once the user logs in:
http://msdn.microsoft.com/en-us/library/system.web.profile.profilemodule.migrateanonymous.aspx
Related
I am going to setup a custom role provider, but I don't have a very good idea of how it works behind the scenes.
[Questions]
What is the difference between setting roles in a form authentication ticket and using a custom role provider? Which is better to use?
If I create a custom role provider can I user role names in the web.config to allow / block users?
Thx!
1- Not sure that there is a "better" choice, that has to do with the requirements of the project. I created a role provider based on Windows Authentication rather than Forms Authentication for an internal project because I didn't want to create a bunch of AD groups and I wanted Windows Auth to allow users into the site. As far as what does it do, it interacts with authenticated users to define who is allowed in what areas of the site.
2- Yes.
some additional info
I have only one user for my asp.net application and I have to create the authentication system for the website. What could be the best, secure and easiest way I can do that?
What I believe that createing a table in a database for a single user is not at all a good choice. At the same time, security is the major need for the authentication.
You can store the username and (hashed) password in the web.config.
http://msdn.microsoft.com/en-us/library/e01fc50a.aspx
Since you don't have to worry about user maintenance, just add the user to the local system and establish integrated windows authentication. This keeps the password secure, the login is done through NTLM, and you can use the built-in Identity class to keep track of the logged in user.
As I understand it "forms" is just a method to authenticate users. Is this correct?
But what "membership" really is I don't know. I've written a custom membership provider but I still don't really see what "membership" is about it if I'm using a custom user table and custom roles table.
So what is forms?
And what is membership?
"Forms" authentication is using the ability to use a form to authenticate a user through them entering a username and password. This is in contrast to using Windows authentication.
"Membership" is a way of storing information against a certain user once they have been authenticated and are logged into the system.
Hope this helps.
By "forms" it means we use a web form to facilitate authentication. Where as Membership gives us built-in way to validate and store user credentials.
As far, as I understand:
Forms is a method to identify requests. it's provide mechanism to store and check authorization cookies in a secure way.
Membership is a "backed" service for forms, that verifies provided credentials across SQL, ActiveDirectory and others.
All our inhouse projects use Active Directory authentication and impersonation as this is the accepted security policy for the company.
I currently have a scenario where I need to store user profile information, and I would like to use the built-in Profile Providers which is standard in ASP.Net. I've previously used this happily with Forms Authentication, however I can't find any helpful information on how to implement this when using Windows Authentication.
Is there any way I can get just the Profile Provider working with Windows Authentication out of the box?
Will I be forced to create a custom profile provider?
The data will be stored in the database, not in Active Directory. However if the latter is possible some guidance would be appreciated.
Notes
I don't need to use the Role provider, this is handled by AD.
I am not sure if I need to implemented the AD Membership provider to get the Profile Provider to work.
you can just use the standard SqlProfileProvider. As username, use the Context.User.Identity.Name property. ASP.NET will create a user entry in it's standard tables himself to keep track of it. The role provider also works in combination with windows authentication. See this link for more information: http://weblogs.asp.net/scottgu/pages/Recipe_3A00_-Implementing-Role_2D00_Based-Security-with-ASP.NET-2.0-using-Windows-Authentication-and-SQL-Server.aspx
if you enable and configure the profile provider in the web.config, you can use it like this:
ProfileBase profile = ProfileBase.Create(Context.User.Identity.Name, true);
profile.SetPropertyValue("MyProfileProperty", propertyValue);
profile.Save();
Good luck!
Any user who logs in needs to provide username, password and domain. For that user a windows identity shall be created on the server side. In this scenario what is the best way to handle user's session across the pages using his identity in ASP.Net?
Maybe i don't understand the question here but to me it seems like you could just created a custom membership/profile provider that authenticates to AD. If the the account can not be found then create them. this would allow you to act as normal on the asp.net side of things while still allowing you to interact with AD.
MS Howto:
http://msdn.microsoft.com/en-us/library/ms998360.aspx
sorry if this is not what you are looking for, but this seems right based on the question.
I'm guessing the username, password, domain is authenticated against an Active Directory? If so, you'll be interested in this article: How To: Use Forms Authentication with Active Directory in ASP.NET 2.0
If you are just using session to 'remember someone is logged in' this will handle it all for you.
Use session variable to store user details.