How to authenticate on ASP.NET

Question

I'm developing an ASP.NET app (c#) that need to authenticate users. To do that I have a SQL Server database with the users of this application.

Which is the best way to do that?

I've been reading this:

How to: Implement Simple Forms Authentication

In the example I will to replace this code:

<script runat="server">
  void Logon_Click(object sender, EventArgs e)
  {
    if ((UserEmail.Text == "jchen@contoso.com") && 
            (UserPass.Text == "37Yj*99Ps"))
      {
          FormsAuthentication.RedirectFromLoginPage 
             (UserEmail.Text, Persist.Checked);
      }
      else
      {
          Msg.Text = "Invalid credentials. Please try again.";
      }
  }
</script>

With my ADO.NET Entity code to search the user on the database. It will work?

Another way is Membership ([http://msdn.microsoft.com/en-us/library/tw292whz.aspx][2]) but I think it is the hardest way.

Or maybe I can use Windows Live ID but I don't know how to connect Live ID with my users table.

Thank you!

Answer 1

One of the most important security rules (#7 on the OWASP top 10) is NOT to write your own authentication mechanism when there are tried and tested mechanisms available. ASP.Net Authentication is simple to use, and tried and tested, and you are setting yourself up for all kinds of pain if you proceed down the path of writing your own mechanism.

Top 10 2007-Broken Authentication and Session Management

Answer 2

Both approaches will work but the recommended way would be to implement you're own Membership provider for two reasons:

1. The built in .NET authentication mechanisms are likely to be more robust than yours
2. It enables you to connect some of the standard .NET controls to your custom user database.

This page has instructions on how to implement your own Membership provider

Answer 3

Membership is the easiest way to provide authentication IMO. If you're interested in using it I recommend this tutorial by Scott Mitchell: