How do I set up a secure login page using membership in ASP.NET?

How do I set up a secure login page using membership in ASP.NET?

I'm doing a login page using membership in ASP.NET, C# and MySQL and need some help setting it up securely. This is how the program should work: When the user logs in with his/her username and password, it goes and finds its authenticated username and password in MySQL. When it is true the user will log in. Can you advise?

    Requires Free Membership to View

    Login

    When you register, you'll receive targeted emails designed to keep you informed of the most relevant information on Agile development, application security, testing & QA, software requirements, and more.

    Hannah Smalltree, Editorial Director

    By submitting your registration information to SearchSoftwareQuality.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSoftwareQuality.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

The easiest way to do this while still staying within the ASP.NET AAA system is to use what's called "forms authentication." In web.config, ensure that the "authentication" element's "mode" attribute is set to "Forms"; using the child "forms" element, you can set up the login aspx page (i.e., the page to redirect to when a user isn't logged in). See this page for reference on forms.

There are essentially two options from here. The first is to use the asp:login control in your login page; this gives you a login box you can (at least theoretically) style however you like. You can implement a custom MembershipProvider, which talks to MySQL, verifies the user and fills in all the user fields. Or, you can handle the Authenticate event of your login control. This gets a little tricky, since you have to set User and then set a flag in the passed-in EventArgs. Here's a ref on membership providers.

The second option is to do all the logic yourself and call FormsAuthentication.redirectFromLoginPage(). This isn't very flexible and essentially gives you no options for having different classes of users, unless you implement them all on your own using session-based variables or objects in the User object. Here is some guy who did something similar in a non-MySQL database, but don't copy his code without fixing the blatant SQL injection problems first.

Once this is done, go back to web.config and set up /system.web/authorization; this is where you list the rules for excluding people based on authentication.

There's yet another option: instead of doing any of the above, you can entirely ignore the ASP.NET AAA system and do everything yourself, like you would in PHP. This is what most people with complex apps seem to do.

As for MySQL, you'll need to write the code to do user lookups manually no matter what. You'll also need to install the ODBC driver for MySQL separately, since that doesn't come with the .net SDK.

Here is a bunch of stuff on forms authentication.

This was first published in December 2008