ASP.net and .Net framework have come a long way. Asp.net 1.0 went through a major change with the introduction of ASP.Net 2.0 having several boiler plate features which did not exist in the 1.0 version. Providers were a major component of these features with Membership and Roles added on top of Forms Authentication which was introduced with the 1.x version itself. Since then the combination of Forms authentication with Membership and Role Providers are a strong and proven mechanism that can be used to take care of Authentication as well as Authorization needs of a .Net web application. Together they can be used to Validate a User with Membership and then Create / Manage a Authentication ticket with Forms Authentication.
I just recently started an ASP.Net MVC3 project with .Net framework 4. The MVC3 project template gives you a choice to add all the basic code to implement your security via Forms Authentication / Membership . I have had 4 successful projects with Forms / Membership – 2 were even integrated with SSO. I had all the reason to go for it because I felt very comfortable with it. I must say it took me only at most an hour to configure everything the way I wanted it to work. I did not have to struggle with anything or learn any new technology tricks. I loved that feeling , because every step of the way otherwise you end up learning something new with every version that’s introduced. I don’t consider that a bad thing , however as much as changing technologies are good to have, stable features give you the comfort and speed required to get the project going. ASP.Net MVC has kept all the goodness except that now the security functions are called via Controller / Action methods.
Together they can be used to Validate a User with Membership and Create / Manage a Authentication ticket with Forms Authentication.
ASP.Net MVC has kept all the goodness except that now the security functions are called via Controller / Action methods.
If you are using Single Sign On with some kind of federated database , it’s really easy to integrate the two together as well. Just make sure that the credentials which exist in the federated database also exist in the ASP.Net membership database. Once the credentials are authenticated in the SSO database , you take the same credentials and validate them against the Membership database and assign Roles accordingly if you have them. The only catch is if the SSO system creates an authentication ticket that has it’s own expiry , you need to make sure you are signed out of the SSO system when the user signs out of forms authentication system. Forms authentication system creates it’s own ticket – which has it’s own expiry.
Not that the Forms authentication / Membership system is suitable for all systems – several larger corporations have their own home grown authentication and authorization systems. Their custom needs may be complicated enough not be able to use Forms Authentication / Membership . However for all small and mid sized applications, where a reliable boiler plate security mechanism is required , the Forms Authentication / Membership works without any major issues. It is also comforting to see that it is stable enough for Microsoft to have kept it the same way without having the need to make many changes through version 4. Just thought I should discuss this via blog because good to see something stable and strong in an ever changing world of technology.