I want to write a web application and I am trying to figure out what are my possibilites regarding user Authorization and Authentication, for what i read so far:
- using asp.net membership and role management
- using oauth or openId controls
- implementing myself this portion (this looks like a lot of hard work and i am not sure if its worth it)
What do you recommend or if you can link to more information regarding this issue
thank you
Doron
Using ASP.NET MembershipProvider
, ProfileProvider
and RoleProvider
is the best solution IMO as it makes your application plug-able, works with the framework, and it forces a nice layer of abstraction.
I don't recommend using the static classes to access the providers, I would always take a dependency on the provider directly through DI and keep things testable.
var service = new UserService(Membership.Provider);
service.MyUserAction("myusername");
// rather than
var user = Membership.GetUser("myusername");
...
OAuth
or OpenId
can be used to complement and extend a basic forms implementation, allowing users to login through other providers, but then map to a local user so that you can store additional meta data.
You don't really have to use the providers to take advantage of ASP.NET
authentication, making use of the auth cookie through FormsAuthentication.SetAuthCookie
is a nice shortcut for post authentication.
Rolling your own is a bad idea. The built it mechanisms are not fool proof, but it's a solid base implementation that avoids the basic gotchas that most people fall for. Never use Session
for any authentication
or authorisation
logic as it's highly insecure.
精彩评论