How do I set up a secure login page using membership in ASP.NET?

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Security Beating software's cross-site scripting, authentication problems Expert resolves issues plaguing OpenSTA users What is fuzz testing? What are some ways to use fuzz testing? How do I convince management to take application security seriously? Security testing sales, marketing websites Are there application security certification standards? Top tools for testing Web application security How to prevent HTTP response splitting PCI DSS compliance: WAF, code review or both? Application security careers have bright future Software security testing and techniques Web server weaknesses you don't want to overlook Using firewalls for software testing: Pros and cons Beating software's cross-site scripting, authentication problems Free Web proxy security tools software testers should get to know How to get management on board with Web 2.0 security issues Web application security best practices: Tips on implementation Testing strategies for complex environments How to make your software tamperproof Ways to approach application performance testing on a tight budget How can I tell if my software security has been breached?

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

The easiest way to do this while still staying within the ASP.NET AAA system is to use what's called "forms authentication." In web.config, ensure that the "authentication" element's "mode" attribute is set to "Forms"; using the child "forms" element, you can set up the login aspx page (i.e., the page to redirect to when a user isn't logged in). See this page for reference on forms.

There are essentially two options from here. The first is to use the asp:login control in your login page; this gives you a login box you can (at least theoretically) style however you like. You can implement a custom MembershipProvider, which talks to MySQL, verifies the user and fills in all the user fields. Or, you can handle the Authenticate event of your login control. This gets a little tricky, since you have to set User and then set a flag in the passed-in EventArgs. Here's a ref on membership providers.

The second option is to do all the logic yourself and call FormsAuthentication.redirectFromLoginPage(). This isn't very flexible and essentially gives you no options for having different classes of users, unless you implement them all on your own using session-based variables or objects in the User object. Here is some guy who did something similar in a non-MySQL database, but don't copy his code without fixing the blatant SQL injection problems first.

Once this is done, go back to web.config and set up /system.web/authorization; this is where you list the rules for excluding people based on authentication.

There's yet another option: instead of doing any of the above, you can entirely ignore the ASP.NET AAA system and do everything yourself, like you would in PHP. This is what most people with complex apps seem to do.

As for MySQL, you'll need to write the code to do user lookups manually no matter what. You'll also need to install the ODBC driver for MySQL separately, since that doesn't come with the .net SDK.

Here is a bunch of stuff on forms authentication.