Problem solve Get help with specific problems with your technologies, process and projects.

How do I set up a secure login page using membership in ASP.NET?

I'm doing a login page using membership in ASP.NET, C# and MySQL and need some help setting it up securely.

I'm doing a login page using membership in ASP.NET, C# and MySQL and need some help setting it up securely. This is how the program should work: When the user logs in with his/her username and password, it goes and finds its authenticated username and password in MySQL. When it is true the user will log in. Can you advise?
The easiest way to do this while still staying within the ASP.NET AAA system is to use what's called "forms authentication." In web.config, ensure that the "authentication" element's "mode" attribute is set to "Forms"; using the child "forms" element, you can set up the login aspx page (i.e., the page to redirect to when a user isn't logged in). See this page for reference on forms.

There are essentially two options from here. The first is to use the asp:login control in your login page; this gives you a login box you can (at least theoretically) style however you like. You can implement a custom MembershipProvider, which talks to MySQL, verifies the user and fills in all the user fields. Or, you can handle the Authenticate event of your login control. This gets a little tricky, since you have to set User and then set a flag in the passed-in EventArgs. Here's a ref on membership providers.

The second option is to do all the logic yourself and call FormsAuthentication.redirectFromLoginPage(). This isn't very flexible and essentially gives you no options for having different classes of users, unless you implement them all on your own using session-based variables or objects in the User object. Here is some guy who did something similar in a non-MySQL database, but don't copy his code without fixing the blatant SQL injection problems first.

Once this is done, go back to web.config and set up /system.web/authorization; this is where you list the rules for excluding people based on authentication.

There's yet another option: instead of doing any of the above, you can entirely ignore the ASP.NET AAA system and do everything yourself, like you would in PHP. This is what most people with complex apps seem to do.

As for MySQL, you'll need to write the code to do user lookups manually no matter what. You'll also need to install the ODBC driver for MySQL separately, since that doesn't come with the .net SDK.

Here is a bunch of stuff on forms authentication.

This was last published in December 2008

Dig Deeper on Software Security Test Best Practices

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.