Andrew Backes
Andrew Backes

Reputation: 1904

Authentication without using Forms Authentication

I am creating a personal website in which I would like users to register for. I have been looking up various security measures that need to be taken, and am curious as to what the main things I have to pay attention to. I have decided to not use ASP.NET Forms Authentication, primarily for the fun of creating the authentication process myself. Here is what I have done thus far:

Is there a better way to go about tracking logged in users? Or is this an acceptable, yet still secure, way of handling things?

Upvotes: 2

Views: 1377

Answers (2)

Sergey
Sergey

Reputation: 3213

In my opinion a better way is to have user information in the encrypted cookie, that way your server does not need to keep track of each user in session. And it's more reliable than session. What you can do is to use only the mechanism for creating a secure authentication cookie from FormsAuthentication and use your own authorization for example.

public void OnLoginClick(object sender, EventArgs e)
{
   if(MySqlValidUser(username, pass)) // this is where you would check if user is valid
   {
      FormsAuthentication.SetAuthCookie(username, null);
      Response.Redirect("/");
   }
}

That way if you have forms authentication enabled you can easily access User.Identity.Name or User.IsAuthenticated on your asp.net pages

<authentication mode="Forms" />

Upvotes: 1

to StackOverflow
to StackOverflow

Reputation: 124814

Is there a better way to go about tracking logged in users?

Microsoft designed Forms Authentication to use an encrypted cookie, with a cookieless fallback that uses querystring. So they obviously think it's a better way than using Session.

One advantage is that a User isn't automatically logged out if his Session is lost (timed out, but can also be lost if the application is recycled when using InProc Session - which is the default).

If you really want to "roll your own", I suggest you consider:

  1. Writing a custom MembershipProvider, which will work with the FormsAuthentication infrastructure but enable you to learn something about the implementation details.

  2. Or study the FormsAuthentication design, and attempt to replicate most of it (for example: you might omit support for cookieless authentication).

Upvotes: 1

Related Questions