Alternatives to the baked-in ASP.NET authentication model

Question

When I look at how devs implement login and "authentication" in other web frameworks it looks like they most of the time they just set a server session and check if that's set or not, before they let people in. We even did this in ASP classic back in the day and it seemed to work just fine.

e.g RoR: http://www.codeproject.com/Articles/575551/User-Authentication-in-Ruby-on-Rails Php: http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL

Implementing a custom membership provider can seem as a long way to go for logging in users, and say Session.Abandon when they're done. And frankly I am not sure I do understand the security risks in not using the Membership provider, even though I have for many years.

A few thoughts please.

Answer 1

Forms Authentication is not dependent on Membership Providers. You can use Forms Authentication on its own, which is what I have done in the past. Here's an article that describes how: How to: Implement Simple Forms Authentication.

There is nothing to stop you using a Session variable to track users instead. There are no security implications in doing this either, so long as you follow basic secure coding principals:

1. Never trust user input
2. Always use parameters/stored procedures in your data access
3. Encrypt/hash any passwords that you store.