Remote Membership/Roles Management of ASP.NET 2.0 Applications

Peter Kellner recently published parts 3 and 4 of his popular how-to series on building a custom remote security management application for ASP.NET 2.0's Membership and Roles feature.  Part 3 covers Ajax enabling it with Atlas, and Part 4 covers adding personalization support with profiles.  You can find the entire series on MSDN here:

For more ASP.NET 2.0 Security Resources, please also check out my ASP.NET 2.0 Security Resources Page.

Hope this helps,

Scott

P.S. IIS 7.0 includes built-in support within its GUI Admin tool for ASP.NET 2.0 Membership and Role Management -- making both local and remote management of sites super easy.  It will work with any custom provider you've built (so it is not limited to only working with the built-in ones).  It also does all of its remote management using HTTP based web-services -- which means it can work through firewalls as well as in shared hosting environments.  I'll post some screen-shots of this in the near future showing it off (it is pretty darn cool).

 

18 Comments

  • When I need something I just come to this blog and always, that day is posted for me to use. This is called problem syncronization or something like that. Good job again!
    Al

  • Great job but I always like samples to be both C# and VB version ;) ... Regardless this article provides C#, I found it very useful. Thank you for sharing.

  • " IIS 7.0 includes built-in support within its GUI Admin tool for ASP.NET 2.0 Membership and Role Management -- making both local and remote management of sites super easy."............. I am Waiting for more information on this. This is really cool as well as a big relief. Pl. focus more in depth. Thanks

  • Hello, Can any one point out a VB version of the articles mentioned above. I need a working demo in VB version. The article in 4 stages is great but no use since its only in C#.

  • Dear Scott, I've added a profile provider into the web config file but the Profile class is unknown in my codes and I have a compile error. by the way my project is an ASP.NET Web Application (not Web Site).
    How can I solve this.
    Thanks Stutt.

  • Hello Scott,

    I have been reading your blog regularly and I find it the best professional resource. Thank you for great job!

    I am designing a web application in 2.0 (I m novice for 2.0, alhtough I have experience of 1.1). I would like to know your thoughts about the BEST user managment design considerations in 2.0.
    Please help.

    Thanks,
    Tanmay Soni.

  • Thanks Scutt,
    It seems current biuld of WAP doesn't support generating the ProfileCommon class automatically.
    How can we doing this manually?

  • Hi Majid,

    You can use this utility to automatically generate the ProfileCommon class for WAP projects: http://www.gotdotnet.com/workspaces/workspace.aspx?id=406eefba-2dd9-4d80-a48c-b4f135df4127

    Hope this helps,

    Scott

  • Hi Tanmay,

    In general I'd recommend using the built-in Membership API and providers in the box, unless you have a good reason to do otherwise.

    The built-in providers follow good best-practices (per row SALT hashing, etc) and have been security reviewed thoroughly, and so will be more secure than custom implementations you might right yourself.

    Having said that, if you have some custom need to store user information differently, the nice thing is that you can always drop-down and implement your own provider to plug-in.

    This page of mine includes a bunch of great ASP.NET security resource links -- including links on how to build your own custom Membership providers if you want to go that route: http://weblogs.asp.net/scottgu/archive/2006/02/24/438953.aspx

    Hope this helps,

    Scott

  • much appreciated Scutt

  • Hi Scott,

    Thanks for response.
    I got the referred book - Professional ASP.NET 2.0 Security,Membership and Role management from Stefan. and have read much of it, it really helped me a lot. thanks for the advice.

    I see that I will be going with the built-in features provided. (thanks again for direction)
    Drilling down, I have only one question (very specific) with use of built-in functionalities.
    It is:
    How do I manage the below information:
    1. I have many other attributes of User, then provided by built in functionalities. Do I have some way to add custom attributes/columns to User definition of built-in functionalities.
    2. Is it fine if I create FKs in my other tables, that refer to User record, created by the built-in functionalities?
    Or anything you can suggest here as a best way?

    Awaiting for your comments...

    Thanks,
    Tanmay.

  • Hi Tanmay,

    In general for storing other properties about users we recommend using the "Profile" system within ASP.NET 2.0. This allows you to associate properties about users, while still keeping them separate from the username/password in the database (which you often want to-do for security or scaling purposes).

    This article right below provides a simple tutorial that shows a few things -- one of which is using the Profile API: http://weblogs.asp.net/scottgu/archive/2006/07/22/Recipe_3A00_-Dynamic-Site-Layout-and-Style-Personalization-with-ASP.NET--.aspx

    Hope this helps,

    Scott

  • Hello Scott,
    I went through the related material for Provider Model.

    I also gave special concern to your suggestion of using PROFILE provider for my question of storing additional attributes for a user.

    I observed that it requires to define the additional properties to store, within the web.config file like -









    that's great to see that provider model creates necessary columns in DB, as per config nodes.

    But I am worried at one point - what if I do not want to disclose the additional attribute names and the datatypes?

    Do we have any other possible way to provide which additional attributes I want to store for user, EXCEPT web.config section (as I mentioned above).

    At this point, I found one way - to have a table FKing into the ASPNET table - aspnet_Users. I am not sure how feasible is this and whether it is recomended way.


    Please guide.

    Thanks,
    Tanmay Soni.


  • Hi Tanmay,

    You could optionally encrypt that web.config file section if you want to hide it entirely.

    Alternatively, you could just go against a database directly and bypass Profile altogether.

    Hope this helps,

    Scott

  • Hello Scott,

    Thanks for response.

    Ok. So these are the possible ways, I wanted to know if I don't know about something offerred. Still, it's great that I know what is possible.

    Thanks,
    Tanmay Soni.

  • I am struggling here.

    We already have an API for logging in etc. for the desktop version of our product. A username might login a number of times but each session is assigned a sessionId.

    I am trying to create a custom MembershipProvder and MembershipUser to do this. But I cannot figure out how to get the current user and get their sessionid.

    The sessionid being the only unique thing.

    Thanks
    Martin

  • Hi Martin,

    From within code you can get a User's session Id like so:

    string sessionID = HttpContext.Current.Session.SessionID;

    Hope this helps,

    Scott

  • Hi DevX,

    This blog post of mine shows how to use the SqlRoleProvider in an app with Windows Authentication: http://weblogs.asp.net/scottgu/archive/2006/07/23/Recipe_3A00_-Implementing-Role-Based-Security-with-ASP.NET-using-Windows-Authentication-and-SQL-Server.aspx

    Hope this helps,

    Scott

Comments have been disabled for this content.