ScottGu's Blog

I usually try and spend at least an hour or two each night hanging out on the ASP.NET Forums answering questions.  The last week or so I’ve been spending a lot of time in the Security Forum answering a lot of “how to” questions about some of the new features in ASP.NET 2.0 (in particular the new ASP.NET 2.0 Membership, Role Management and Login Controls) and pointing people at resources and samples around the web about them.  What I thought I’d try and do with this post is consolidate a lot of pointers to different ASP.NET 2.0 security resources in one place.

Getting Started with ASP.NET 2.0 Membership, Roles and Forms Authentication Video

If you haven’t watched this great online video yet you absolutely should.  It walks through how to add Forms Authentication (using the <asp:login> control) with a secure Membership Credential Store + Role Based Security to a site, then implement pages that enable Registration (using the <asp:createuserwizard> control) + Change Password (using the <asp:changepassword> control) + Reset Password (using the <asp:recoverypassword> control), and then authorize page access and hide menu navigation links using the role groupings of the authenticated user.  The video shows how to-do all of this from scratch in only 17 minutes.  You can watch it here.  You can also find other great ASP.NET “how to” videos here.

ASP.NET 2.0 Membership and Role Management Overview Articles

Here are a few good tutorial articles that provide a good conceptual overview of how the new membership and role management system works. 

Scott Mitchell’s: Examining ASP.NET 2.0’s Membership, Roles and Profile (Part 1)

Scott Mitchell’s: Examining ASP.NET 2.0’s Membership, Roles and Profile (Part 2)

Scott Mitchell's: Examining ASP.NET 2.0's Membership, Roles and Profile (Part 3)

Scott Mitchell's: Examining ASP.NET 2.0's Membership, Roles and Profile (Part 5) 

MSDN: Explained: Forms Authentication in ASP.NET 2.0

MSDN: Explained: Windows Authentication in ASP.NET 2.0

ASP.NET 2.0 Security, Membership and Role Management Book

Stefan Schackow is the ASP.NET Team technical expert and feature-owner for a lot of the core sub-systems in ASP.NET, and he owned the security, membership and role management features for ASP.NET 2.0.  He has recently published an awesome book on ASP.NET Security, Membership and Roles that you can buy for $26 on Amazon here. 

You can read two big recommendations of it from ASP.NET MVPs here: Dave Sussman and Christoph Wille  I highly recommend getting a copy.

Setting up Membership + Roles on a SQL 2000 or SQL 2005 Server

By default ASP.NET 2.0 auto-creates and uses a SQL Express database to store Membership, Roles and Profile data.  If you want to instead use a SQL 2000 or SQL 2005 database, you can easily learn how to configure it using this blog post of mine.

Don't forget to always set the "applicationName" attribute when configuring ASP.NET Membership, Roles, Profile and other providers.

One common issue people forget to-do when registering membership and other providers is to configure the "applicationName" attribute on the provider declaration.  This can prevent logins from seeming to work when you copy an application to another machine.  This blog post covers this scenario more and how to fix it.

Custom Membership and Roles Providers

ASP.NET 2.0 ships with built-in SQL Server, SQL Express and Active Directory Membership and Role Providers.  The source code for these built-in providers can now be downloaded from here.

The nice thing about the system is that it is entirely extensible, which means you can create and configure your own custom credential/role stores into the system as well (either using the source code from the built-in providers, or just by extending the provider contract). 

The ASP.NET Provider Toolkit Site provides tons of content on how to create and build your own providers (including Membership and Role Providers).  It also has a link to a fully functional Membership and Role Provider that works with Access databases.  This article also discusses how to build your own Membership Provider, and can be a useful guide to integrating the membership APIs with your own existing database.

Here is a list of other free custom Membership and Roles providers (with complete source code) that I know of on the web:

• SQL Database Support for ASP.NET Membership, Roles and Personalization
• Access Database Support for ASP.NET Membership, Roles and Personalization
• MySQL Support for ASP.NET Membership and Roles
• SQLLite3 Support for ASP.NET Membership and Roles
• Oracle Support for ASP.NET Membership, Roles and Personalization (note: this is included in the PetShop sample)

You can download and configure your application to use any of the above providers.  The beauty of the system is that the Membership, Roles APIs + Login Controls don't change at all. 

Storing Custom Properties about a User during Registration

One very common question I see asked a lot is how to store custom properties about a new user as they register on the system (example: zip code, gender, etc).  The good news is that it is easy to-do this with the new ASP.NET Profile System and the built-in <asp:createuserwizard> control. 

I have a sample here that shows how to build a registration system for a site with Membership, Login, Registration, Password Recovery, Change Password, Custom Properties and Roles support – all in 24 lines of code.  If you want, you can combine this with the new SQLTableProvider for the Profile system for greater control over your profile database schema.  You can learn about that in my blog post here.

Remote Server Administration Tool Mangement of Membership/Roles

The built-in Web Administration Tool with Visual Web Developer and VS 2005 makes it easy to manage the users and roles for a local ASP.NET application. One common question I get asked is how to manage these users/roles against a remote server (for example: an application running on a remote hoster.  This blog post of mine points to two different solutions you can use to enable this.

How to Share Forms-Authentication Between ASP.NET V1.1 and ASP.NET V2.0 Apps

One common question I’ve seen is whether it is possible to share membership and forms-authentication across multiple applications.  The good news is that this is definitely possible.  Even better, it is possible to-do this across V1.1 and V2.0 applications.  This blog post of mine discusses how to-do this.

How to encrypt connection strings and web.config file settings

ASP.NET 2.0 now allows you to encrypt all configuration settings within the web.config file.  This article walksthrough how to easily do this to secure private data and configuration.

Forms Authentication Timeout Change

One change between ASP.NET V1.1 and V2.0 was the default timeout value of forms-auth cookies that are issued.  By default out of the box, ASP.NET 2.0 will time-out authentication cookies after 30 minutes of inactivity by the browser user (requiring the user to login on the next visit to the site).  You can learn more about this, and how to change the timeout to your preferred duration setting in my blog post here.

Great ASP.NET Security Blog

Dominick maintains a great Security blog at: http://www.leastprivilege.com that I'd recommend subscribing to.  He continually posts good information on building more secure apps and on how to take advantage of ASP.NET features.

Building Secure ASP.NET Applications Guide

The Microsoft PAG (Prescriptive Architecture Guidance) Team has published a great book online about ASP.NET Security Best Practices.  It is focused on ASP.NET V1.0 – but the core concepts still apply. You can read it here.  You can also then find some good tutoral scenarios here.