How do I set up a secure login page using membership in ASP.NET?

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Security What is fuzz testing? What are some ways to use fuzz testing? How do I convince management to take application security seriously? Security testing sales, marketing websites Are there application security certification standards? Top tools for testing Web application security How to prevent HTTP response splitting PCI DSS compliance: WAF, code review or both? Application security careers have bright future How to prevent anti-DNS pinning attacks Open source application security testing tools Software security testing and techniques Fixing four Web 2.0 input validation security mistakes Commonly-overlooked security flaws in rich Internet applications Web security problems: Five ways to stop login weaknesses 10 steps to acing Web app security assessments Hack maliciously to boost your software's security Software Testing: How to know you're ready to start testing Software security best practices: Roles developers must play The role of quality assurance (QA) pros in software security What is fuzz testing? What are some ways to use fuzz testing? Software security: Removing insecurity from outsourced development

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

The easiest way to do this while still staying within the ASP.NET AAA system is to use what's called "forms authentication." In web.config, ensure that the "authentication" element's "mode" attribute is set to "Forms"; using the child "forms" element, you can set up the login aspx page (i.e., the page to redirect to when a user isn't logged in). See this page for reference on forms.

There are essentially two options from here. The first is to use the asp:login control in your login page; this gives you a login box you can (at least theoretically) style however you like. You can implement a custom MembershipProvider, which talks to MySQL, verifies the user and fills in all the user fields. Or, you can handle the Authenticate event of your login control. This gets a little tricky, since you have to set User and then set a flag in the passed-in EventArgs. Here's a ref on membership providers.

The second option is to do all the logic yourself and call FormsAuthentication.redirectFromLoginPage(). This isn't very flexible and essentially gives you no options for having different classes of users, unless you implement them all on your own using session-based variables or objects in the User object. Here is some guy who did something similar in a non-MySQL database, but don't copy his code without fixing the blatant SQL injection problems first.

Once this is done, go back to web.config and set up /system.web/authorization; this is where you list the rules for excluding people based on authentication.

There's yet another option: instead of doing any of the above, you can entirely ignore the ASP.NET AAA system and do everything yourself, like you would in PHP. This is what most people with complex apps seem to do.

As for MySQL, you'll need to write the code to do user lookups manually no matter what. You'll also need to install the ODBC driver for MySQL separately, since that doesn't come with the .net SDK.

Here is a bunch of stuff on forms authentication.